Fix memory corruption by null-padding shorter replacement patterns

When replacing domain strings with shorter ones, the replaceBytes function was only copying the new bytes without clearing the leftover bytes from the old pattern. This caused "free(): invalid pointer" crashes on Steam Deck and Ubuntu due to corrupted string metadata in the .NET AOT binary. Fix: Fill the entire old pattern region with 0x00 before writing the new bytes. This ensures no leftover data remains that could corrupt the binary structure. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-26 16:21:49 -03:00 · 2026-01-27 02:10:31 +01:00
parent e56b12cd72
commit 2582d9b6d1
1 changed files with 9 additions and 3 deletions
--- a/backend/utils/clientPatcher.js
+++ b/backend/utils/clientPatcher.js
@@ -147,8 +147,9 @@ class ClientPatcher {
  }

  /**
-   * Replace bytes in buffer - only overwrites the length of new bytes
-   * Prevents offset corruption by not expanding the replacement
+   * Replace bytes in buffer with null-padding for shorter replacements
+   * When new pattern is shorter than old, pads with 0x00 to prevent leftover bytes
+   * that can cause memory corruption (free(): invalid pointer) on some systems
   */
  replaceBytes(buffer, oldBytes, newBytes) {
    let count = 0;
@@ -162,7 +163,12 @@ class ClientPatcher {
    const positions = this.findAllOccurrences(result, oldBytes);

    for (const pos of positions) {
-      // Only overwrite the length of the new bytes
+      // First fill the entire old pattern region with zeros
+      // This prevents leftover bytes from causing memory corruption
+      if (newBytes.length < oldBytes.length) {
+        result.fill(0x00, pos, pos + oldBytes.length);
+      }
+      // Then write the new bytes
      newBytes.copy(result, pos);
      count++;
    }