diff options
| author | thilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2006-05-06 01:56:24 +0000 |
|---|---|---|
| committer | thilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2006-05-06 01:56:24 +0000 |
| commit | a679ae64e0a659e2b94ec97e688633bc1a0d041e (patch) | |
| tree | 5d3fe1a56ea961fb5618cfda1fbd6d0072f44a4a /code/q3_ui | |
| parent | 29ce2df227e4c556707ae482d4391c7eb700121d (diff) | |
| download | ioquake3-aero-a679ae64e0a659e2b94ec97e688633bc1a0d041e.tar.gz ioquake3-aero-a679ae64e0a659e2b94ec97e688633bc1a0d041e.zip | |
Add string length checking to function COM_StripExtension. This fixes the R_RemapShader buffer overflow exploit that can be found here:
http://milw0rm.com/exploits/1750
git-svn-id: svn://svn.icculus.org/quake3/trunk@765 edf5b092-35ff-0310-97b2-ce42778d08ea
Diffstat (limited to 'code/q3_ui')
| -rw-r--r-- | code/q3_ui/ui_playermodel.c | 4 | ||||
| -rw-r--r-- | code/q3_ui/ui_players.c | 4 | ||||
| -rw-r--r-- | code/q3_ui/ui_saveconfig.c | 2 |
3 files changed, 5 insertions, 5 deletions
diff --git a/code/q3_ui/ui_playermodel.c b/code/q3_ui/ui_playermodel.c index 009f77d..e247149 100644 --- a/code/q3_ui/ui_playermodel.c +++ b/code/q3_ui/ui_playermodel.c @@ -391,7 +391,7 @@ static void PlayerModel_BuildList( void ) int numfiles; char dirlist[2048]; char filelist[2048]; - char skinname[64]; + char skinname[MAX_QPATH]; char* dirptr; char* fileptr; int i; @@ -424,7 +424,7 @@ static void PlayerModel_BuildList( void ) { filelen = strlen(fileptr); - COM_StripExtension(fileptr,skinname); + COM_StripExtension(fileptr,skinname, sizeof(skinname)); // look for icon_???? if (!Q_stricmpn(skinname,"icon_",5)) diff --git a/code/q3_ui/ui_players.c b/code/q3_ui/ui_players.c index db4b438..182b5f0 100644 --- a/code/q3_ui/ui_players.c +++ b/code/q3_ui/ui_players.c @@ -89,13 +89,13 @@ tryagain: if ( weaponNum == WP_MACHINEGUN || weaponNum == WP_GAUNTLET || weaponNum == WP_BFG ) { strcpy( path, item->world_model[0] ); - COM_StripExtension( path, path ); + COM_StripExtension( path, path, sizeof(path) ); strcat( path, "_barrel.md3" ); pi->barrelModel = trap_R_RegisterModel( path ); } strcpy( path, item->world_model[0] ); - COM_StripExtension( path, path ); + COM_StripExtension( path, path, sizeof(path) ); strcat( path, "_flash.md3" ); pi->flashModel = trap_R_RegisterModel( path ); diff --git a/code/q3_ui/ui_saveconfig.c b/code/q3_ui/ui_saveconfig.c index e988463..c9f0bc2 100644 --- a/code/q3_ui/ui_saveconfig.c +++ b/code/q3_ui/ui_saveconfig.c @@ -85,7 +85,7 @@ static void UI_SaveConfigMenu_SaveEvent( void *ptr, int event ) { return; } - COM_StripExtension(saveConfig.savename.field.buffer, configname ); + COM_StripExtension(saveConfig.savename.field.buffer, configname, sizeof(configname)); trap_Cmd_ExecuteText( EXEC_APPEND, va( "writeconfig %s.cfg\n", configname ) ); UI_PopMenu(); } |