Unreal Engine Issues and Bug Tracker (UE-63495)

Description

A licensee has reported a crash that is caused by a Buffer Overread in TBitArray's operator < function. While the licensee did not provide reproduction steps, the crash is apparent from looking at the offending code:

for (uint32 i = NumWords; i != ~0u; i--)
{
    if (Data0[i] != Data1[i])
    {
        return Data0[i] < Data1[i];
    }
}

Since this will cause the first read to go outside of the array, the licensee has suggested that this be fixed by adding a -1 to NumWords on the first line.

Regression?: No
This code was present in 4.19

Steps to Reproduce

No steps were provided, please refer to the description

Callstack

UE4Editor-Engine.dll!FSkeletalMeshLODRenderData::InitResources(bool bNeedsVertexColors, int LODIndex, TArray
  
    & InMorphTargets) Line 325    C++
     UE4Editor-Engine.dll!FSkeletalMeshRenderData::InitResources(bool bNeedsVertexColors, TArray
   
     & InMorphTargets) Line 147    C++
     UE4Editor-Engine.dll!USkeletalMesh::InvalidateRenderData() Line 1164    C++
     UE4Editor-Engine.dll!USkeletalMesh::PostEditChangeProperty(FPropertyChangedEvent & PropertyChangedEvent) Line 782    C++
     UE4Editor-CoreUObject.dll!UObject::PostEditChange() Line 348    C++
     UE4Editor-Engine.dll!USkeletalMesh::RemoveLegacyClothingSections() Line 1350    C++
     UE4Editor-Engine.dll!USkeletalMesh::PostLoad() Line 1494    C++
     UE4Editor-CoreUObject.dll!UObject::ConditionalPostLoad() Line 1009    C++
     UE4Editor-CoreUObject.dll!FAsyncPackage::PostLoadObjects() Line 6287    C++
     UE4Editor-CoreUObject.dll!FAsyncPackage::TickAsyncPackage(bool InbUseTimeLimit, bool InbUseFullTimeLimit, float & InOutTimeLimit, FFlushTree * FlushTree) Line 5551    C++
     UE4Editor-CoreUObject.dll!FAsyncLoadingThread::ProcessAsyncLoading(int & OutPackagesProcessed, bool bUseTimeLimit, bool bUseFullTimeLimit, float TimeLimit, FFlushTree * FlushTree) Line 4472    C++
     UE4Editor-CoreUObject.dll!FAsyncLoadingThread::TickAsyncThread(bool bUseTimeLimit, bool bUseFullTimeLimit, float TimeLimit, bool & bDidSomething, FFlushTree * FlushTree) Line 4985    C++
     UE4Editor-CoreUObject.dll!FAsyncLoadingThread::TickAsyncLoading(bool bUseTimeLimit, bool bUseFullTimeLimit, float TimeLimit, FFlushTree * FlushTree) Line 4720    C++
     UE4Editor-CoreUObject.dll!FlushAsyncLoading(int PackageID) Line 6805    C++

Community References

How does TextureRenderTarget2D get TArray<uint8> type data?

Why does the REMOVE method of map container remove elements have memory leaks?

How to delete some elements correctly when deleting an array loop?

Do I need to call Destory method to remove components from Actor when Destory method to remove Actor?

UMG RichText not appear image when packaged

Where can I download the source address of the deployment cotum service associated with the PixelStream plugin?

What is the cause of the packaging error falling back to 'GameUserSettings' in ue5?

How do I set a material as a post-processing material?

What is the difference between Camera and CineCamera?

Why can't I get the canvas panel slot geometry information in UMG?

Have Comments or More Details?

There's no existing public thread on this issue, so head over to Questions & Answers just mention UE-63495 in the post.

1	Login to Vote

Fixed

Component	UE - Foundation - Core
Affects Versions	4.19, 4.20, 4.21
Target Fix	4.22

Fix Commit	4332608
Main Commit	4772220
Release Commit	4862694

Created	Aug 29, 2018
Resolved	Aug 30, 2018
Updated	Feb 12, 2019

View Jira Issue

UE-63495

Crash caused by Buffer Overread in TBitArray operator < function

Crash caused by Buffer Overread in TBitArray operator < function

Have Comments or More Details?