feat(core): Patch latest sprays exploit

[Rushaway]

No description provided.

[Copilot]

Pull request overview

This PR adds enhanced spray exploit detection by implementing file size validation to catch malformed VTF files. The update introduces a sophisticated size calculation mechanism that compares actual file sizes against expected sizes derived from VTF header data, with a 5% tolerance threshold to minimize false positives.

Key changes:

• Added VTF file size validation that calculates expected size from header metadata (dimensions, mipmaps, format, frames) and flags files with >5% size mismatches
• Extended header validation coverage from offset 36 to offset 62 to read thumbnail dimensions
• Introduced client-level exploit tracking (g_bIsVTFExploit) to prevent replay attacks through the temp entity system

Comments suppressed due to low confidence (2)

addons/sourcemod/scripting/FixSprayExploit.sp:1355

• The native function Native_LogCustom doesn't validate that numParams >= 1 before calling FormatNativeString. If called with 0 parameters, this could cause undefined behavior. Add a check: if (numParams < 1) return 0; before the FormatNativeString call.

public int Native_LogCustom(Handle plugin, int numParams)
{
	char sBuffer[2048];
	FormatNativeString(0, 1, 2, sizeof(sBuffer), _, sBuffer);
	LogCustom(sBuffer);
	return 1;

addons/sourcemod/scripting/FixSprayExploit.sp:203

• The include file spray_exploit.inc is referenced but does not exist in the repository. This will cause a compilation error. Either the include file needs to be added to the repository, or this include directive should be removed if the forward and native are defined inline in this file.

#include <spray_exploit>

[Copilot]

The stock keyword is deprecated in modern SourcePawn with #pragma newdecls required. This function should be declared as static int MaxValC(int a, int b) instead to follow current SourcePawn best practices.

Suggested change

	stock int MaxValC(int a, int b)
	static int MaxValC(int a, int b)

[Copilot]

The new function GetFormatInfo lacks documentation explaining its purpose, parameters, and return value. Consider adding a docstring that explains: 1) Maps VTF format codes to compression type and bits-per-pixel, 2) Returns false if format is unrecognized (though current implementation always returns true), 3) Uses output parameters for compressed and bpp.

[Copilot]

Setting g_bIsVTFExploit[client] when client is 0 will corrupt memory by writing to index 0 of the array (which represents an invalid client). This can occur when GetClientFromSpray() and GetClientFromJingle() both return 0. Add a check: if (client) g_bIsVTFExploit[client] = true; to prevent this.

[Copilot]

Same issue: Setting g_bIsVTFExploit[client] when client is 0 will corrupt memory. Add a check: if (client) g_bIsVTFExploit[client] = true; to prevent writing to an invalid array index.

Suggested change

	g_bIsVTFExploit[client] = true;
	if (client)
	g_bIsVTFExploit[client] = true;

[Copilot]

The new function CalcSize lacks documentation explaining its purpose, parameters, and return value. Consider adding a docstring that explains: 1) It calculates the expected VTF file size based on header data, 2) Returns -1 on invalid format/version, 3) Returns calculated size in bytes for valid files. This is especially important given the complexity of the VTF format calculations.

[Copilot]

Potential integer overflow in size calculations. When calculating highresSize += bw*bh*bpp (line 1307) or highresSize += mw*mh*bpp/8 (line 1311), large dimensions could cause integer overflow before the result is added to highresSize. Similarly, multiplying by frames (line 1314) could overflow. Consider using 64-bit integers or adding overflow checks to prevent incorrect size validation that could allow malicious files to bypass detection.

[Copilot]

The VTF format constant definitions have gaps (e.g., format 8, 10-11 are missing between DXT1=7, DXT5=9, and BGRA8888=12). While this may match the VTF specification, GetFormatInfo defaults unknown formats to 32bpp uncompressed (line 1266), which could lead to incorrect size calculations for these formats. Consider explicitly handling or documenting which formats are intentionally unsupported to avoid false positives or security bypasses.

Suggested change

	bpp = 32;
	compressed = false;
	return true;
	// Unknown/unsupported format. Do not accept as valid.
	bpp = 0;
	compressed = false;
	return false;

[Copilot]

[nitpick] The 5% size tolerance threshold (SIZE_TOLERANCE = 0.05) is defined but lacks explanation for why this specific value was chosen. Consider adding a comment explaining the rationale (e.g., "allows for file format overhead, compression variations, or minor header extensions") to help future maintainers understand if this value needs adjustment based on false positive rates.

Suggested change

	// Tolerance for file size mismatch when validating spray files.
	// 5% allows for file format overhead, compression variations, or minor header extensions.
	// Adjust this value if false positives/negatives are observed in spray validation.

[Copilot]

The CalcSize function calculates only the image data size (mipmaps + thumbnail) but doesn't account for the VTF file header. VTF files have an 80-byte header (version 7.0+), so the actual file size should be headerSize + highresSize + thumbSize. This will cause false positives where valid spray files are flagged as having size mismatches. Consider returning 80 + highresSize + thumbSize instead.

Suggested change

	return highresSize + thumbSize;
	return 80 + highresSize + thumbSize;

[Rushaway]

@null138 What you think about all these suggestions ?