diff options
| author | thilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2006-05-06 01:56:24 +0000 |
|---|---|---|
| committer | thilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2006-05-06 01:56:24 +0000 |
| commit | a679ae64e0a659e2b94ec97e688633bc1a0d041e (patch) | |
| tree | 5d3fe1a56ea961fb5618cfda1fbd6d0072f44a4a /code/qcommon | |
| parent | 29ce2df227e4c556707ae482d4391c7eb700121d (diff) | |
| download | ioquake3-aero-a679ae64e0a659e2b94ec97e688633bc1a0d041e.tar.gz ioquake3-aero-a679ae64e0a659e2b94ec97e688633bc1a0d041e.zip | |
Add string length checking to function COM_StripExtension. This fixes the R_RemapShader buffer overflow exploit that can be found here:
http://milw0rm.com/exploits/1750
git-svn-id: svn://svn.icculus.org/quake3/trunk@765 edf5b092-35ff-0310-97b2-ce42778d08ea
Diffstat (limited to 'code/qcommon')
| -rw-r--r-- | code/qcommon/files.c | 2 | ||||
| -rw-r--r-- | code/qcommon/q_shared.c | 4 | ||||
| -rw-r--r-- | code/qcommon/q_shared.h | 2 | ||||
| -rw-r--r-- | code/qcommon/vm.c | 2 |
4 files changed, 5 insertions, 5 deletions
diff --git a/code/qcommon/files.c b/code/qcommon/files.c index 51bf5ef..13b8a25 100644 --- a/code/qcommon/files.c +++ b/code/qcommon/files.c @@ -3451,7 +3451,7 @@ void FS_FilenameCompletion( const char *dir, const char *ext, Q_strncpyz( filename, filenames[ i ], MAX_STRING_CHARS ); if( stripExt ) { - COM_StripExtension( filename, filename ); + COM_StripExtension(filename, filename, sizeof(filename)); } callback( filename ); diff --git a/code/qcommon/q_shared.c b/code/qcommon/q_shared.c index de54e17..9d94f2a 100644 --- a/code/qcommon/q_shared.c +++ b/code/qcommon/q_shared.c @@ -58,10 +58,10 @@ char *COM_SkipPath (char *pathname) COM_StripExtension ============ */ -void COM_StripExtension( const char *in, char *out ) { +void COM_StripExtension( const char *in, char *out, int destsize ) { int length; - strcpy( out, in ); + Q_strncpyz(out, in, destsize); length = strlen(out)-1; while (length > 0 && out[length] != '.') diff --git a/code/qcommon/q_shared.h b/code/qcommon/q_shared.h index 3fc713d..705517a 100644 --- a/code/qcommon/q_shared.h +++ b/code/qcommon/q_shared.h @@ -588,7 +588,7 @@ int Q_isnan( float x ); float Com_Clamp( float min, float max, float value ); char *COM_SkipPath( char *pathname ); -void COM_StripExtension( const char *in, char *out ); +void COM_StripExtension(const char *in, char *out, int destsize); void COM_DefaultExtension( char *path, int maxSize, const char *extension ); void COM_BeginParseSession( const char *name ); diff --git a/code/qcommon/vm.c b/code/qcommon/vm.c index 0eb35c5..efc0da8 100644 --- a/code/qcommon/vm.c +++ b/code/qcommon/vm.c @@ -230,7 +230,7 @@ void VM_LoadSymbols( vm_t *vm ) { return; } - COM_StripExtension( vm->name, name ); + COM_StripExtension(vm->name, name, sizeof(name)); Com_sprintf( symbols, sizeof( symbols ), "vm/%s.map", name ); len = FS_ReadFile( symbols, (void **)&mapfile ); if ( !mapfile ) { |