From 2582d9b6d12d59306018eeb1484b29c81d1e1c81 Mon Sep 17 00:00:00 2001 From: sanasol Date: Tue, 27 Jan 2026 02:10:31 +0100 Subject: [PATCH] Fix memory corruption by null-padding shorter replacement patterns When replacing domain strings with shorter ones, the replaceBytes function was only copying the new bytes without clearing the leftover bytes from the old pattern. This caused "free(): invalid pointer" crashes on Steam Deck and Ubuntu due to corrupted string metadata in the .NET AOT binary. Fix: Fill the entire old pattern region with 0x00 before writing the new bytes. This ensures no leftover data remains that could corrupt the binary structure. Co-Authored-By: Claude Opus 4.5 --- backend/utils/clientPatcher.js | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/backend/utils/clientPatcher.js b/backend/utils/clientPatcher.js index 3446fed..332a7a4 100644 --- a/backend/utils/clientPatcher.js +++ b/backend/utils/clientPatcher.js @@ -147,8 +147,9 @@ class ClientPatcher { } /** - * Replace bytes in buffer - only overwrites the length of new bytes - * Prevents offset corruption by not expanding the replacement + * Replace bytes in buffer with null-padding for shorter replacements + * When new pattern is shorter than old, pads with 0x00 to prevent leftover bytes + * that can cause memory corruption (free(): invalid pointer) on some systems */ replaceBytes(buffer, oldBytes, newBytes) { let count = 0; @@ -162,7 +163,12 @@ class ClientPatcher { const positions = this.findAllOccurrences(result, oldBytes); for (const pos of positions) { - // Only overwrite the length of the new bytes + // First fill the entire old pattern region with zeros + // This prevents leftover bytes from causing memory corruption + if (newBytes.length < oldBytes.length) { + result.fill(0x00, pos, pos + oldBytes.length); + } + // Then write the new bytes newBytes.copy(result, pos); count++; }