[GEN][ZH] Prevent reading invalid data from 'nti', 'm_teams' in TeamsInfoRec::addTeam() (#1122)

Author: xezon

Generals/Code/GameEngine/Source/GameLogic/Map/SidesList.cpp

@@ -1090,7 +1090,7 @@ void TeamsInfoRec::clear()
 { 
 	Int i;
 
-	for (i = 0; i < m_numTeamsAllocated; i++) 
+	for (i = 0; i < m_numTeams; ++i)
 		m_teams[i].clear(); 
 
 	m_numTeams = 0; 
@@ -1101,7 +1101,7 @@ void TeamsInfoRec::clear()
 
 TeamsInfo *TeamsInfoRec::findTeamInfo(AsciiString name, Int* index /*= NULL*/)
 {
-	for (int i = 0; i < m_numTeams; i++) 
+	for (int i = 0; i < m_numTeams; ++i)
 	{
 		if (m_teams[i].getDict()->getAsciiString(TheKey_teamName) == name)
 		{
@@ -1123,36 +1123,33 @@ void TeamsInfoRec::addTeam(const Dict* d)
 	DEBUG_ASSERTCRASH(m_numTeams < 1024, ("hmm, seems like an awful lot of teams..."));
 	if (m_numTeams >= m_numTeamsAllocated)
 	{
-	// pool[]ify
-		TeamsInfo* nti = NEW TeamsInfo[m_numTeamsAllocated + TEAM_ALLOC_CHUNK];	// throws on failure
-		
+		// pool[]ify
+		const Int newNumTeamsAllocated = m_numTeams + TEAM_ALLOC_CHUNK;
+		TeamsInfo* nti = NEW TeamsInfo[newNumTeamsAllocated];
 		Int i;
 
-		for (i = 0; i < m_numTeams; i++)
+		for (i = 0; i < m_numTeams; ++i)
 			nti[i] = m_teams[i];
 
-		for ( ; i < m_numTeamsAllocated + TEAM_ALLOC_CHUNK; i++) 
-			nti[i].clear(); 
-		
 		delete [] m_teams;
-
 		m_teams = nti;
-		m_numTeamsAllocated += TEAM_ALLOC_CHUNK;
+		m_numTeamsAllocated = newNumTeamsAllocated;
 	}
 
-	m_teams[m_numTeams++].init(d);
+	m_teams[m_numTeams].init(d);
+
+	++m_numTeams;
 }
 
 void TeamsInfoRec::removeTeam(Int i)
 {
 	if (i < 0 || i >= m_numTeams || m_numTeams <= 1)
 		return;
 
-	for ( ; i < m_numTeams-1; i++)
-		m_teams[i] = m_teams[i+1];
+	--m_numTeams;
 
-	for ( ; i < m_numTeamsAllocated; i++)
-		m_teams[i].clear();
+	for ( ; i < m_numTeams; ++i)
+		m_teams[i] = m_teams[i+1];
 
-	--m_numTeams;
+	m_teams[m_numTeams].clear();
 }

GeneralsMD/Code/GameEngine/Source/GameLogic/Map/SidesList.cpp

@@ -1100,7 +1100,7 @@ void TeamsInfoRec::clear()
 { 
 	Int i;
 
-	for (i = 0; i < m_numTeamsAllocated; i++) 
+	for (i = 0; i < m_numTeams; ++i) 
 		m_teams[i].clear(); 
 
 	m_numTeams = 0; 
@@ -1111,7 +1111,7 @@ void TeamsInfoRec::clear()
 
 TeamsInfo *TeamsInfoRec::findTeamInfo(AsciiString name, Int* index /*= NULL*/)
 {
-	for (int i = 0; i < m_numTeams; i++) 
+	for (int i = 0; i < m_numTeams; ++i) 
 	{
 		if (m_teams[i].getDict()->getAsciiString(TheKey_teamName) == name)
 		{
@@ -1133,36 +1133,33 @@ void TeamsInfoRec::addTeam(const Dict* d)
 	DEBUG_ASSERTCRASH(m_numTeams < 2048, ("%d teams have been allocated (so far). This seems excessive.", m_numTeams ));
 	if (m_numTeams >= m_numTeamsAllocated)
 	{
-	// pool[]ify
-		TeamsInfo* nti = NEW TeamsInfo[m_numTeamsAllocated + TEAM_ALLOC_CHUNK];	// throws on failure
-		
+		// pool[]ify
+		const Int newNumTeamsAllocated = m_numTeams + TEAM_ALLOC_CHUNK;
+		TeamsInfo* nti = NEW TeamsInfo[newNumTeamsAllocated];
 		Int i;
 
-		for (i = 0; i < m_numTeams; i++)
+		for (i = 0; i < m_numTeams; ++i)
 			nti[i] = m_teams[i];
 
-		for ( ; i < m_numTeamsAllocated + TEAM_ALLOC_CHUNK; i++) 
-			nti[i].clear(); 
-		
 		delete [] m_teams;
-
 		m_teams = nti;
-		m_numTeamsAllocated += TEAM_ALLOC_CHUNK;
+		m_numTeamsAllocated = newNumTeamsAllocated;
 	}
 
-	m_teams[m_numTeams++].init(d);
+	m_teams[m_numTeams].init(d);
+
+	++m_numTeams;
 }
 
 void TeamsInfoRec::removeTeam(Int i)
 {
 	if (i < 0 || i >= m_numTeams || m_numTeams <= 1)
 		return;
 
-	for ( ; i < m_numTeams-1; i++)
-		m_teams[i] = m_teams[i+1];
+	--m_numTeams;
 
-	for ( ; i < m_numTeamsAllocated; i++)
-		m_teams[i].clear();
+	for ( ; i < m_numTeams; ++i)
+		m_teams[i] = m_teams[i+1];
 
-	--m_numTeams;
+	m_teams[m_numTeams].clear();
 }