diff options
| author | thilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2006-05-06 01:56:24 +0000 |
|---|---|---|
| committer | thilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2006-05-06 01:56:24 +0000 |
| commit | a679ae64e0a659e2b94ec97e688633bc1a0d041e (patch) | |
| tree | 5d3fe1a56ea961fb5618cfda1fbd6d0072f44a4a /code/renderer | |
| parent | 29ce2df227e4c556707ae482d4391c7eb700121d (diff) | |
| download | ioquake3-aero-a679ae64e0a659e2b94ec97e688633bc1a0d041e.tar.gz ioquake3-aero-a679ae64e0a659e2b94ec97e688633bc1a0d041e.zip | |
Add string length checking to function COM_StripExtension. This fixes the R_RemapShader buffer overflow exploit that can be found here:
http://milw0rm.com/exploits/1750
git-svn-id: svn://svn.icculus.org/quake3/trunk@765 edf5b092-35ff-0310-97b2-ce42778d08ea
Diffstat (limited to 'code/renderer')
| -rw-r--r-- | code/renderer/tr_bsp.c | 2 | ||||
| -rw-r--r-- | code/renderer/tr_shader.c | 6 |
2 files changed, 4 insertions, 4 deletions
diff --git a/code/renderer/tr_bsp.c b/code/renderer/tr_bsp.c index 85909ba..c340e13 100644 --- a/code/renderer/tr_bsp.c +++ b/code/renderer/tr_bsp.c @@ -1823,7 +1823,7 @@ void RE_LoadWorldMap( const char *name ) { Q_strncpyz( s_worldData.name, name, sizeof( s_worldData.name ) ); Q_strncpyz( s_worldData.baseName, COM_SkipPath( s_worldData.name ), sizeof( s_worldData.name ) ); - COM_StripExtension( s_worldData.baseName, s_worldData.baseName ); + COM_StripExtension(s_worldData.baseName, s_worldData.baseName, sizeof(s_worldData.baseName)); startMarker = ri.Hunk_Alloc(0, h_low); c_gridVerts = 0; diff --git a/code/renderer/tr_shader.c b/code/renderer/tr_shader.c index dc5b7d7..dac45ee 100644 --- a/code/renderer/tr_shader.c +++ b/code/renderer/tr_shader.c @@ -95,7 +95,7 @@ void R_RemapShader(const char *shaderName, const char *newShaderName, const char // remap all the shaders with the given name // even tho they might have different lightmaps - COM_StripExtension( shaderName, strippedName ); + COM_StripExtension(shaderName, strippedName, sizeof(strippedName)); hash = generateHashValue(strippedName, FILE_HASH_SIZE); for (sh = hashTable[hash]; sh; sh = sh->next) { if (Q_stricmp(sh->name, strippedName) == 0) { @@ -2365,7 +2365,7 @@ shader_t *R_FindShaderByName( const char *name ) { return tr.defaultShader; } - COM_StripExtension( name, strippedName ); + COM_StripExtension(name, strippedName, sizeof(strippedName)); hash = generateHashValue(strippedName, FILE_HASH_SIZE); @@ -2433,7 +2433,7 @@ shader_t *R_FindShader( const char *name, int lightmapIndex, qboolean mipRawImag lightmapIndex = LIGHTMAP_BY_VERTEX; } - COM_StripExtension( name, strippedName ); + COM_StripExtension(name, strippedName, sizeof(strippedName)); hash = generateHashValue(strippedName, FILE_HASH_SIZE); |