Technical Issue Overflow fixes

[Loaden]

Hi,
not sure if I'm in right forum.

I recordnize while browsing the source of JKA and ioquake today that there are some bugs / overflows which are known but aren't fixed in MBII now. Some of this bugs aren't fixed in openjk now (see ioquake bug tracker) . A few of them are potential security risk for player. Is MBII team fixing these bugs?

 

[kikili]

Hi,
MBII is a mod wich run above OpenJK or JKA through an API. We do not alter the code of both, therefore there is numerous bugs of them that are not fixed using MBII mod.

 

[ent]

MBII uses their own MBII Client engine based on OpenJK. And it takes bug fixes from OpenJK ofc.
But MBII team does not take a part in OpenJK development. So if OpenJK team is not fixing them, then they are also not coming to MBII Client.
If you want fix the bugs yourself, feel free to do that here: GitHub - MBII/OpenJK: Community effort to maintain and improve Jedi Academy + Jedi Outcast released by Raven Software

 

[Puppytine]

Just to be clear:
Movie Battles II actually allows users to CHOOSE an engine to run, it could be either:

1. MBII Client, which is fork of OpenJK, which, in turn, is fork of jamp.exe from Jedi Academy, or
2. Original jamp.exe, build by Ravensoft in 2003, or
3. jaMME by @ent.

So we can say that MBII does inherit bugs from all those engines, if any.
I assume that most players prefer jamp.

 

[Loaden]

Thanks @ent. I asked the question about the client source in a other thread.

I know about that mod API. But the code which work at that API isn't available. Functions in cgame/, game/, botlib/ etc. are overwritten by mod. I ask about if this code base (OJP) is updated because of the unmatching update cycles of mbii and fixed bugs. Is that source even available?

OT:
I checked a view things on git because I red this about pk3 auto downloader:
Sys_UnpackDLL() is a security risk · Issue #646 · JACoders/OpenJK · GitHub
making auto-downloading safer · Issue #130 · ioquake/ioq3 · GitHub

Nice to know: auto pk3 download is disabled by default always.
^ cl_allowdownload 0

For example if auto download is enabled, even if it's not allow to execute custom code, a other issue / overflow can be used.
Something like this:
[code/botlib/l_precomp.c] Fix string buffer overflow · ioquake/ioq3@90f2f02 · GitHub

 

[ent]

[code/botlib/l_precomp.c] Fix string buffer overflow · ioquake/ioq3@90f2f02 · GitHub

Botlib. MBII can run bots technically, but actually and fortunately none plays with bots at all. Though I am not sure about this piece of code if it gets executed on init or in ongoing game.