#23 crash after loading specific config.cfg + autoexec.cfg

[Eric Wasylishen]

put the attached cfg's into a new directory called "custom"

game custom 
timedemo demo2 
> host error: progs/player.mdl not found 
q{tab} 
crash

reported by r00k ( http://celephais.net/board/view_thread.php?id=60452&start=3144&end=3145 )

[Eric Wasylishen]

The crash is in BuildTabList, one of the cmd_function_t structs in the cmd_functions list has had its memory clobbered so cmd->name is an invalid pointer.

So the error is happening somewhere before this, probably when the configs are execed, something is overflowing, because the host error: progs/player.mdl not found should also not have happened (I don't think so anyway!)

AddressSanitizer didn't catch anything.

[Ozkan Sezer]

AddressSanitizer didn't catch anything.

It possibly won't, unless at least you replace Hunk_Alloc()
with malloc() in Cmd_AddCommand()

[Ozkan Sezer]

If I replace Hunk_Alloc() with calloc() at least in Cmd_AddCommand(),
the game quits without segfault as of today's svn. However, the quit
is with a Sys_Error() from Z_Free():
Z_Free: freed a pointer without ZONEID

Unless I comment out VID_SyncCvars() call in Host_WriteConfiguration(),
it actually double faults, i.e. I see the recursive shutdown message.
(WHY we need to VID_SyncCvars() from within Host_WriteConfiguration(),
I really don't know...)

Something is clobbering hunk and/or zone.

I don't know where/how the zone is corrupted.