feaf03421d
Yesterday, when playing around with my network code, I realized there is
a security issue in decode_variant, at least when decoding PoolArrays.
Basically, the size of the PoolArray is encoded in a uint32_t, when
decoding it, that value is cast to int when comparing if the packet is
actually that size causing numbers with MSB=1 to be interpreted as
negative thus always passing the check. That same value though, is used
as uint32_t again to resize the output vector. For this reason, sending
a malformed packet with declared type PoolByteArray and size of 2^31(+x)
causes the engine to try to allocate 2+GB of pool memory, causing the
engine to crash.
(cherry picked from commit
|
||
---|---|---|
core | ||
doc | ||
drivers | ||
editor | ||
main | ||
misc | ||
modules | ||
platform | ||
scene | ||
servers | ||
thirdparty | ||
.appveyor.yml | ||
.clang-format | ||
.editorconfig | ||
.gitattributes | ||
.gitignore | ||
.mailmap | ||
.travis.yml | ||
AUTHORS.md | ||
CHANGELOG.md | ||
CODEOWNERS | ||
compat.py | ||
CONTRIBUTING.md | ||
COPYRIGHT.txt | ||
DONORS.md | ||
gles_builders.py | ||
icon.png | ||
icon.svg | ||
ISSUE_TEMPLATE.md | ||
LICENSE.txt | ||
logo.png | ||
logo.svg | ||
LOGO_LICENSE.md | ||
methods.py | ||
platform_methods.py | ||
README.md | ||
SConstruct | ||
version.py |
Godot Engine
Homepage: https://godotengine.org
2D and 3D cross-platform game engine
Godot Engine is a feature-packed, cross-platform game engine to create 2D and 3D games from a unified interface. It provides a comprehensive set of common tools, so that users can focus on making games without having to reinvent the wheel. Games can be exported in one click to a number of platforms, including the major desktop platforms (Linux, Mac OSX, Windows) as well as mobile (Android, iOS) and web-based (HTML5) platforms.
Free, open source and community-driven
Godot is completely free and open source under the very permissive MIT license. No strings attached, no royalties, nothing. The users' games are theirs, down to the last line of engine code. Godot's development is fully independent and community-driven, empowering users to help shape their engine to match their expectations. It is supported by the Software Freedom Conservancy not-for-profit.
Before being open sourced in February 2014, Godot had been developed by Juan Linietsky and Ariel Manzur (both still maintaining the project) for several years as an in-house engine, used to publish several work-for-hire titles.
Getting the engine
Binary downloads
Official binaries for the Godot editor and the export templates can be found on the homepage.
Compiling from source
See the official docs for compilation instructions for every supported platform.
Community
Godot is not only an engine but an ever-growing community of users and engine developers. The main community channels are listed on the homepage.
To get in touch with the developers, the best way is to join the #godotengine IRC channel on Freenode.
Documentation and demos
The official documentation is hosted on ReadTheDocs. It is maintained by the Godot community in its own GitHub repository.
The class reference is also accessible from within the engine.
The official demos are maintained in their own GitHub repository as well.
There are also a number of other learning resources provided by the community, such as text and video tutorials, demos, etc. Consult the community channels for more info.