Source-Authors · RaphaelIT7 · Mar 3, 2025 · Mar 3, 2025 · Mar 3, 2025 · Mar 3, 2025
diff --git a/game/client/c_baseentity.cpp b/game/client/c_baseentity.cpp
@@ -1090,6 +1090,28 @@ bool C_BaseEntity::Init( int entnum, int iSerialNum )
 
 	index = entnum;
 
+	if ( this->IsPlayer() )
+	{
+		// Josh: If we ever have a player that could ever cause us
+		// an out of bounds access to any player sized arrays.
+		// Just get out now!
+		//
+		// All these issues should be bounds checked now anyway,
+		// but I'd much rather be safe than sorry here.
+		//
+		// Additionally, make sure we aren't 0 or negative,
+		// the player CANNOT be worldspawn.
+		// Someone is going to try that to get an extra player and frog something up!
+		// 
+		// Player index is entindex - 1.
+		// MAX_PLAYERS_ARRAY_SAFE is MAX_PLAYERS + 1.
+		if ( index <= 0 || index >= MAX_PLAYERS_ARRAY_SAFE )
+		{
+			Warning("Player with out of bounds entindex! Got: %d Expected to be in inclusive range: %d - %d\n", index, 1, MAX_PLAYERS );
+			return false;
+		}
+	}
+
 	cl_entitylist->AddNetworkableEntity( GetIClientUnknown(), entnum, iSerialNum );
 
 	CollisionProp()->CreatePartitionHandle();

diff --git a/game/client/c_baseplayer.cpp b/game/client/c_baseplayer.cpp
@@ -523,12 +523,12 @@ bool C_BasePlayer::IsReplay() const
 CBaseEntity	*C_BasePlayer::GetObserverTarget() const	// returns players target or NULL
 {
 #ifndef _XBOX
-	if ( IsHLTV() )
+	if ( IsHLTV() && HLTVCamera() )
 	{
 		return HLTVCamera()->GetPrimaryTarget();
 	}
 #if defined( REPLAY_ENABLED )
-	if ( IsReplay() )
+	if ( IsReplay() && ReplayCamera() )
 	{
 		return ReplayCamera()->GetPrimaryTarget();
 	}
@@ -624,12 +624,12 @@ void C_BasePlayer::SetObserverMode ( int iNewMode )
 int C_BasePlayer::GetObserverMode() const 
 { 
 #ifndef _XBOX
-	if ( IsHLTV() )
+	if ( IsHLTV() && HLTVCamera() )
 	{
 		return HLTVCamera()->GetMode();
 	}
 #if defined( REPLAY_ENABLED )
-	if ( IsReplay() )
+	if ( IsReplay() && ReplayCamera() )
 	{
 		return ReplayCamera()->GetMode();
 	}

diff --git a/game/client/c_playerresource.cpp b/game/client/c_playerresource.cpp
@@ -32,16 +32,16 @@ END_RECV_TABLE()
 
 BEGIN_PREDICTION_DATA( C_PlayerResource )
 
-	DEFINE_PRED_ARRAY( m_szName, FIELD_STRING, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
-	DEFINE_PRED_ARRAY( m_iPing, FIELD_INTEGER, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
-	DEFINE_PRED_ARRAY( m_iScore, FIELD_INTEGER, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
-	DEFINE_PRED_ARRAY( m_iDeaths, FIELD_INTEGER, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
-	DEFINE_PRED_ARRAY( m_bConnected, FIELD_BOOLEAN, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
-	DEFINE_PRED_ARRAY( m_iTeam, FIELD_INTEGER, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
-	DEFINE_PRED_ARRAY( m_bAlive, FIELD_BOOLEAN, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
-	DEFINE_PRED_ARRAY( m_iHealth, FIELD_INTEGER, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
-	DEFINE_PRED_ARRAY( m_iAccountID, FIELD_INTEGER, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
-	DEFINE_PRED_ARRAY( m_bValid, FIELD_BOOLEAN, MAX_PLAYERS+1, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_szName, FIELD_STRING, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_iPing, FIELD_INTEGER, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_iScore, FIELD_INTEGER, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_iDeaths, FIELD_INTEGER, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_bConnected, FIELD_BOOLEAN, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_iTeam, FIELD_INTEGER, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_bAlive, FIELD_BOOLEAN, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_iHealth, FIELD_INTEGER, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_iAccountID, FIELD_INTEGER, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
+	DEFINE_PRED_ARRAY( m_bValid, FIELD_BOOLEAN, MAX_PLAYERS_ARRAY_SAFE, FTYPEDESC_PRIVATE ),
 
 END_PREDICTION_DATA()	
 

diff --git a/game/client/c_playerresource.h b/game/client/c_playerresource.h
@@ -64,17 +64,17 @@ public : // IGameResources interface
 
 	// Data for each player that's propagated to all clients
 	// Stored in individual arrays so they can be sent down via datatables
-	string_t	m_szName[MAX_PLAYERS+1];
-	int		m_iPing[MAX_PLAYERS+1];
-	int		m_iScore[MAX_PLAYERS+1];
-	int		m_iDeaths[MAX_PLAYERS+1];
-	bool	m_bConnected[MAX_PLAYERS+1];
-	int		m_iTeam[MAX_PLAYERS+1];
-	bool	m_bAlive[MAX_PLAYERS+1];
-	int		m_iHealth[MAX_PLAYERS+1];
+	string_t	m_szName[MAX_PLAYERS_ARRAY_SAFE];
+	int		m_iPing[MAX_PLAYERS_ARRAY_SAFE];
+	int		m_iScore[MAX_PLAYERS_ARRAY_SAFE];
+	int		m_iDeaths[MAX_PLAYERS_ARRAY_SAFE];
+	bool	m_bConnected[MAX_PLAYERS_ARRAY_SAFE];
+	int		m_iTeam[MAX_PLAYERS_ARRAY_SAFE];
+	bool	m_bAlive[MAX_PLAYERS_ARRAY_SAFE];
+	int		m_iHealth[MAX_PLAYERS_ARRAY_SAFE];
 	Color	m_Colors[MAX_TEAMS];
-	uint32	m_iAccountID[MAX_PLAYERS+1];
-	bool	m_bValid[MAX_PLAYERS+1];
+	uint32	m_iAccountID[MAX_PLAYERS_ARRAY_SAFE];
+	bool	m_bValid[MAX_PLAYERS_ARRAY_SAFE];
 	string_t m_szUnconnectedName;
 };
 

diff --git a/game/client/c_sceneentity.cpp b/game/client/c_sceneentity.cpp
@@ -219,11 +219,11 @@ void C_SceneEntity::SetupClientOnlyScene( const char *pszFilename, C_BaseFlex *p
 	m_hOwner = pOwner;
 	m_bClientOnly = true;
 
-	char szFilename[128];
-	Assert( V_strlen( pszFilename ) < 128 );
+	char szFilename[MAX_PATH];
+	Assert( V_strlen( pszFilename ) < MAX_PATH );
 	V_strcpy_safe( szFilename, pszFilename );
 
-	char szSceneHWM[128];
+	char szSceneHWM[ MAX_PATH ];
 	if ( GetHWMorphSceneFileName( szFilename, szSceneHWM ) )
 	{
 		V_strcpy_safe( szFilename, szSceneHWM );

diff --git a/game/client/c_team.cpp b/game/client/c_team.cpp
@@ -151,7 +151,11 @@ int C_Team::Get_Ping( void )
 //-----------------------------------------------------------------------------
 int C_Team::Get_Number_Players( void )
 {
-	return m_aPlayers.Count();
+	int nCount = m_aPlayers.Size();
+	if ( nCount > MAX_PLAYERS )
+		return MAX_PLAYERS;
+
+	return nCount;
 }
 
 //-----------------------------------------------------------------------------

diff --git a/game/client/viewangleanim.cpp b/game/client/viewangleanim.cpp
@@ -101,7 +101,9 @@ CON_COMMAND( viewanim_save, "Save current animation to file" )
 
 	if ( g_pTestAnimation )
 	{	
-		g_pTestAnimation->SaveAsAnimFile( args[1] );
+		char szOutput[ MAX_PATH ];
+		V_FixupPathName( szOutput, sizeof(szOutput), args[1] );
+		g_pTestAnimation->SaveAsAnimFile( szOutput );
 	}
 	else
 	{

diff --git a/game/client/viewdebug.cpp b/game/client/viewdebug.cpp
@@ -629,7 +629,8 @@ CON_COMMAND_F( r_screenoverlay, "Draw specified material as an overlay", FCVAR_C
 {
 	if( args.ArgC() == 2 )
 	{
-		if ( !Q_stricmp( "off", args[1] ) )
+		// This command is silly an undocumented, but, users are expecting r_screenoverlay 0 to function as 'off'.
+		if ( !Q_stricmp( "off", args[1] ) || !Q_stricmp( "0", args[1] ) )
 		{
 			view->SetScreenOverlayMaterial( NULL );
 		}

diff --git a/game/server/CommentarySystem.cpp b/game/server/CommentarySystem.cpp
@@ -352,7 +352,10 @@ class CCommentarySystem : public CAutoGameSystemPerFrame
 		InitCommentary();
 
 		IGameEvent *event = gameeventmanager->CreateEvent( "playing_commentary" );
-		gameeventmanager->FireEventClientSide( event );
+		if ( event )
+		{
+			gameeventmanager->FireEventClientSide( event );
+		}
 	}
 
 	CPointCommentaryNode *GetNodeUnderCrosshair()

diff --git a/game/server/TemplateEntities.cpp b/game/server/TemplateEntities.cpp
@@ -22,6 +22,7 @@
 #include "eventqueue.h"
 #include "TemplateEntities.h"
 #include "utldict.h"
+#include "fgdlib/entitydefs.h"
 
 // memdbgon must be the last include file in a .cpp file!!!
 #include "tier0/memdbgon.h"
@@ -225,7 +226,13 @@ void Templates_ReconnectIOForGroup( CPointTemplate *pGroup )
 				// Entity I/O values are stored as "Targetname,<data>", so we need to see if there's a ',' in the string
 				char *sValue = value;
 				// FIXME: This is very brittle. Any key with a , will not be found.
-				char *s = strchr( value, ',' );
+				char delimiter = VMF_IOPARAM_STRING_DELIMITER;
+				if( strchr( value, delimiter ) == NULL )
+				{
+					delimiter = ',';
+				}
+
+				char *s = strchr( value, delimiter );
 				if ( s )
 				{
 					// Grab just the targetname of the receiver

diff --git a/game/server/baseanimating.cpp b/game/server/baseanimating.cpp
@@ -1116,7 +1116,8 @@ void CBaseAnimating::DispatchAnimEvents ( CBaseAnimating *eventHandler )
 				(float)flCycleRate );
 		}
 		*/
-		eventHandler->HandleAnimEvent( &event );
+		if ( eventHandler )
+			eventHandler->HandleAnimEvent( &event );
 
 		// FAILSAFE:
 		// If HandleAnimEvent has somehow reset my internal pointer

diff --git a/game/server/cbase.cpp b/game/server/cbase.cpp
@@ -129,10 +129,16 @@ CEventAction::CEventAction( const char *ActionData )
 
 	char szToken[256];
 
+	char chDelim = VMF_IOPARAM_STRING_DELIMITER;
+	if (!strchr(ActionData, VMF_IOPARAM_STRING_DELIMITER))
+	{
+		chDelim = ',';
+	}
+
 	//
 	// Parse the target name.
 	//
-	const char *psz = nexttoken(szToken, ActionData, ',');
+	const char *psz = nexttoken(szToken, ActionData, chDelim);
 	if (szToken[0] != '\0')
 	{
 		m_iTarget = AllocPooledString(szToken);
@@ -141,7 +147,7 @@ CEventAction::CEventAction( const char *ActionData )
 	//
 	// Parse the input name.
 	//
-	psz = nexttoken(szToken, psz, ',');
+	psz = nexttoken(szToken, psz, chDelim);
 	if (szToken[0] != '\0')
 	{
 		m_iTargetInput = AllocPooledString(szToken);
@@ -154,7 +160,7 @@ CEventAction::CEventAction( const char *ActionData )
 	//
 	// Parse the parameter override.
 	//
-	psz = nexttoken(szToken, psz, ',');
+	psz = nexttoken(szToken, psz, chDelim);
 	if (szToken[0] != '\0')
 	{
 		m_iParameter = AllocPooledString(szToken);
@@ -163,7 +169,7 @@ CEventAction::CEventAction( const char *ActionData )
 	//
 	// Parse the delay.
 	//
-	psz = nexttoken(szToken, psz, ',');
+	psz = nexttoken(szToken, psz, chDelim);
 	if (szToken[0] != '\0')
 	{
 		m_flDelay = strtof(szToken, nullptr);
@@ -172,7 +178,7 @@ CEventAction::CEventAction( const char *ActionData )
 	//
 	// Parse the number of times to fire.
 	//
-	nexttoken(szToken, psz, ',');
+	nexttoken(szToken, psz, chDelim);
 	if (szToken[0] != '\0')
 	{
 		m_nTimesToFire = atoi(szToken);
@@ -186,7 +192,7 @@ CEventAction::CEventAction( const char *ActionData )
 
 // this memory pool stores blocks around the size of CEventAction/inputitem_t structs
 // can be used for other blocks; will error if to big a block is tried to be allocated
-CUtlMemoryPool g_EntityListPool( MAX(sizeof(CEventAction),sizeof(CMultiInputVar::inputitem_t)), 512, CUtlMemoryPool::GROW_FAST, "g_EntityListPool" );
+CUtlMemoryPool g_EntityListPool( MAX(sizeof(CEventAction),sizeof(CMultiInputVar::inputitem_t)), 512, CUtlMemoryPool::GROW_FAST, "g_EntityListPool", Max<int>( alignof( CEventAction ), alignof( CMultiInputVar::inputitem_t ) ) );
 
 #include "tier0/memdbgoff.h"
 

diff --git a/game/server/client.cpp b/game/server/client.cpp
@@ -135,6 +135,32 @@ char * CheckChatText( CBasePlayer *pPlayer, char *text )
 		p[length] = 0;
 	}
 
+	// Josh:
+	// Cheaters can send us whatever data they want through this channel
+	// Let's validate they aren't trying to clear the chat.
+	// If we detect any of these blacklisted characters (which players cannot type anyway.)
+	// Let's just end the string here.
+	static const char s_blacklist[] = {
+	//	CLRF   LF    ESC
+		'\r',  '\n', '\x1b'
+	};
+
+	int oldLength = length;
+	for (int i = 0; i < length && oldLength == length; i++) {
+		for (int j = 0; j < ARRAYSIZE(s_blacklist); j++) {
+			if (p[i] == s_blacklist[j]) {
+				p[i] = '\0';
+				length = i;
+			}
+		}
+	}
+
+	// Josh:
+	// If the whole string was garbage characters
+	// Let's just not print anything.
+	if ( !*p )
+		return NULL;
+
 	// cut off after 127 chars
 	if ( length > 127 )
 		text[127] = 0;
@@ -215,6 +241,12 @@ void Host_Say( edict_t *pEdict, const CCommand &args, bool teamonly )
 		pPlayer->CheckChatText( p, 127 );	// though the buffer szTemp that p points to is 256, 
 											// chat text is capped to 127 in CheckChatText above
 
+		// make sure the text has valid content
+		p = CheckChatText( pPlayer, p );
+
+		if ( !p )
+			return;
+
 		Assert( pPlayer->GetPlayerName()[0] != '\0' );
 
 		bSenderDead = ( pPlayer->m_lifeState != LIFE_ALIVE );

diff --git a/game/server/game_ui.cpp b/game/server/game_ui.cpp
@@ -170,7 +170,7 @@ void CGameUI::Deactivate( CBaseEntity *pActivator )
 	}
 	else
 	{
-		Warning("%s Deactivate(): I have no player when called by %s!\n", GetEntityName().ToCStr(), pActivator->GetEntityName().ToCStr());
+		Warning("%s Deactivate(): I have no player when called by %s!\n", GetEntityName().ToCStr(), pActivator ? pActivator->GetEntityName().ToCStr() : NULL);
 	}
 
 	// Stop thinking

diff --git a/game/server/gameinterface.cpp b/game/server/gameinterface.cpp
@@ -1388,6 +1388,12 @@ void CServerGameDLL::LevelShutdown( void )
 	// In case we quit out during initial load
 	CBaseEntity::SetAllowPrecache( false );
 
+	// Josh: Uncache all the particle systems on level shutdown
+	// otherwise we leak them constantly on changelevel in the
+	// particle precache stringtable list.
+	g_pParticleSystemMgr->UncacheAllParticleSystems();
+	g_pParticleSystemMgr->RecreateDictionary();
+
 	g_nCurrentChapterIndex = -1;
 
 #ifndef _XBOX
@@ -3058,6 +3064,8 @@ void CServerGameClients::ClientSetupVisibility( edict_t *pViewEntity, edict_t *p
 //-----------------------------------------------------------------------------
 #define CMD_MAXBACKUP 64
 
+static ConVar sv_max_usercmd_move_magnitude( "sv_max_usercmd_move_magnitude", "1000", 0, "Maximum move magnitude that can be requested by client." );	
+
 float CServerGameClients::ProcessUsercmds( edict_t *player, bf_read *buf, int numcmds, int totalcmds,
 	int dropped_packets, bool ignore, bool paused )
 {
@@ -3080,7 +3088,7 @@ float CServerGameClients::ProcessUsercmds( edict_t *player, bf_read *buf, int nu
 		pPlayer = static_cast< CBasePlayer * >( pEnt );
 	}
 	// Too many commands?
-	if ( totalcmds < 0 || totalcmds >= ( CMD_MAXBACKUP - 1 ) )
+	if ( totalcmds < 0 || totalcmds >= ( CMD_MAXBACKUP - 1 ) || numcmds < 0 || numcmds > totalcmds )
 	{
 		const char *name = "unknown";
 		if ( pPlayer )
@@ -3103,6 +3111,15 @@ float CServerGameClients::ProcessUsercmds( edict_t *player, bf_read *buf, int nu
 		to = &cmds[ i ];
 		ReadUsercmd( buf, to, from );
 		from = to;
+
+		if ( ( fabs( to->forwardmove ) > sv_max_usercmd_move_magnitude.GetFloat() ) ||
+			( fabs( to->sidemove ) > sv_max_usercmd_move_magnitude.GetFloat() ) ||
+			( fabs( to->upmove ) > sv_max_usercmd_move_magnitude.GetFloat() ) )
+		{
+			to->forwardmove = 0;
+			to->sidemove = 0;
+			to->upmove = 0;
+		}
 	}
 
 	// Client not fully connected or server has gone inactive  or is paused, just ignore

diff --git a/game/server/hl2/grenade_frag.cpp b/game/server/hl2/grenade_frag.cpp
@@ -155,7 +155,10 @@ void CGrenadeFrag::OnRestore( void )
 void CGrenadeFrag::CreateEffects( void )
 {
 	// Start up the eye glow
-	m_pMainGlow = CSprite::SpriteCreate( "sprites/redglow1.vmt", GetLocalOrigin(), false );
+	if ( !m_pMainGlow.Get() )
+	{
+		m_pMainGlow = CSprite::SpriteCreate("sprites/redglow1.vmt", GetLocalOrigin(), false);
+	}
 
 	int	nAttachment = LookupAttachment( "fuse" );
 
@@ -169,7 +172,10 @@ void CGrenadeFrag::CreateEffects( void )
 	}
 
 	// Start up the eye trail
-	m_pGlowTrail	= CSpriteTrail::SpriteTrailCreate( "sprites/bluelaser1.vmt", GetLocalOrigin(), false );
+	if ( !m_pGlowTrail.Get() )
+	{
+		m_pGlowTrail = CSpriteTrail::SpriteTrailCreate("sprites/bluelaser1.vmt", GetLocalOrigin(), false);
+	}
 
 	if ( m_pGlowTrail != NULL )
 	{
-Original file line number
+Diff line change
@@ Expand Up / @@ -170,7 +170,7 @@ void CGameUI::Deactivate( CBaseEntity *pActivator ) @@
     	}
     	else
     	{
-    		Warning("%s Deactivate(): I have no player when called by %s!\n", GetEntityName().ToCStr(), pActivator->GetEntityName().ToCStr());
+    		Warning("%s Deactivate(): I have no player when called by %s!\n", GetEntityName().ToCStr(), pActivator ? pActivator->GetEntityName().ToCStr() : NULL);
     	}
     	// Stop thinking
@@ Expand Down @@