diff options
author | tma <tma@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2005-09-19 17:45:29 +0000 |
---|---|---|
committer | tma <tma@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2005-09-19 17:45:29 +0000 |
commit | 275b73aa64da7c4b5083216d273877380ceebe73 (patch) | |
tree | 6e26bdbc5a43c5d26a21d090ff4e9840ed61670b /code | |
parent | 9170f3b736b0cfd2818333cf60e2c4ff1959e30f (diff) | |
download | ioquake3-aero-275b73aa64da7c4b5083216d273877380ceebe73.tar.gz ioquake3-aero-275b73aa64da7c4b5083216d273877380ceebe73.zip |
* Fix to multiple buffer overflow bugs in CL_Rcon_f
* Fix to COM_ParseExt 1 byte overwrite bug
* Fixed some missing calls to trap_FS_FCloseFile
* Fixed q3msgboom and q3infoboom bugs
* Fixed some qboolean type confusion
* Above fixes from http://www.quakesrc.org/forums/viewtopic.php?t=5374
git-svn-id: svn://svn.icculus.org/quake3/trunk@95 edf5b092-35ff-0310-97b2-ce42778d08ea
Diffstat (limited to 'code')
-rw-r--r-- | code/cgame/cg_players.c | 1 | ||||
-rw-r--r-- | code/client/cl_keys.c | 4 | ||||
-rw-r--r-- | code/client/cl_main.c | 11 | ||||
-rw-r--r-- | code/client/keys.h | 2 | ||||
-rw-r--r-- | code/game/q_shared.c | 13 | ||||
-rw-r--r-- | code/q3_ui/ui_players.c | 1 | ||||
-rw-r--r-- | code/qcommon/files.c | 4 | ||||
-rw-r--r-- | code/server/sv_main.c | 8 | ||||
-rw-r--r-- | code/ui/ui_players.c | 1 |
9 files changed, 26 insertions, 19 deletions
diff --git a/code/cgame/cg_players.c b/code/cgame/cg_players.c index 6987442..a7858fd 100644 --- a/code/cgame/cg_players.c +++ b/code/cgame/cg_players.c @@ -107,6 +107,7 @@ static qboolean CG_ParseAnimationFile( const char *filename, clientInfo_t *ci ) } if ( len >= sizeof( text ) - 1 ) { CG_Printf( "File %s too long\n", filename ); + trap_FS_FCloseFile( f ); return qfalse; } trap_FS_Read( text, len, f ); diff --git a/code/client/cl_keys.c b/code/client/cl_keys.c index 1ccfc52..cf14d97 100644 --- a/code/client/cl_keys.c +++ b/code/client/cl_keys.c @@ -42,7 +42,7 @@ int chat_playerNum; qboolean key_overstrikeMode; -qboolean anykeydown; +int anykeydown; qkey_t keys[MAX_KEYS]; @@ -1238,7 +1238,7 @@ void Key_ClearStates (void) { int i; - anykeydown = qfalse; + anykeydown = 0; for ( i=0 ; i < MAX_KEYS ; i++ ) { if ( keys[i].down ) { diff --git a/code/client/cl_main.c b/code/client/cl_main.c index 21075f2..d890275 100644 --- a/code/client/cl_main.c +++ b/code/client/cl_main.c @@ -1090,6 +1090,7 @@ void CL_Connect_f( void ) { Cvar_Set( "cl_currentServerAddress", server ); } +#define MAX_RCON_MESSAGE 1024 /* ===================== @@ -1100,7 +1101,7 @@ CL_Rcon_f ===================== */ void CL_Rcon_f( void ) { - char message[1024]; + char message[MAX_RCON_MESSAGE]; netadr_t to; if ( !rcon_client_password->string ) { @@ -1115,13 +1116,13 @@ void CL_Rcon_f( void ) { message[3] = -1; message[4] = 0; - strcat (message, "rcon "); + Q_strcat (message, MAX_RCON_MESSAGE, "rcon "); - strcat (message, rcon_client_password->string); - strcat (message, " "); + Q_strcat (message, MAX_RCON_MESSAGE, rcon_client_password->string); + Q_strcat (message, MAX_RCON_MESSAGE, " "); // https://zerowing.idsoftware.com/bugzilla/show_bug.cgi?id=543 - strcat (message, Cmd_Cmd()+5); + Q_strcat (message, MAX_RCON_MESSAGE, Cmd_Cmd()+5); if ( cls.state >= CA_CONNECTED ) { to = clc.netchan.remoteAddress; diff --git a/code/client/keys.h b/code/client/keys.h index c852f5a..3a13107 100644 --- a/code/client/keys.h +++ b/code/client/keys.h @@ -43,7 +43,7 @@ extern field_t historyEditLines[COMMAND_HISTORY]; extern field_t g_consoleField; extern field_t chatField; -extern qboolean anykeydown; +extern int anykeydown; extern qboolean chat_team; extern int chat_playerNum; diff --git a/code/game/q_shared.c b/code/game/q_shared.c index 928332f..bd8daa5 100644 --- a/code/game/q_shared.c +++ b/code/game/q_shared.c @@ -453,7 +453,7 @@ char *COM_ParseExt( char **data_p, qboolean allowLineBreaks ) *data_p = ( char * ) data; return com_token; } - if (len < MAX_TOKEN_CHARS) + if (len < MAX_TOKEN_CHARS - 1) { com_token[len] = c; len++; @@ -464,7 +464,7 @@ char *COM_ParseExt( char **data_p, qboolean allowLineBreaks ) // parse a regular word do { - if (len < MAX_TOKEN_CHARS) + if (len < MAX_TOKEN_CHARS - 1) { com_token[len] = c; len++; @@ -475,11 +475,6 @@ char *COM_ParseExt( char **data_p, qboolean allowLineBreaks ) com_lines++; } while (c>32); - if (len == MAX_TOKEN_CHARS) - { -// Com_Printf ("Token exceeded %i chars, discarded.\n", MAX_TOKEN_CHARS); - len = 0; - } com_token[len] = 0; *data_p = ( char * ) data; @@ -1192,7 +1187,7 @@ void Info_SetValueForKey( char *s, const char *key, const char *value ) { Com_sprintf (newi, sizeof(newi), "\\%s\\%s", key, value); - if (strlen(newi) + strlen(s) > MAX_INFO_STRING) + if (strlen(newi) + strlen(s) >= MAX_INFO_STRING) { Com_Printf ("Info string length exceeded\n"); return; @@ -1240,7 +1235,7 @@ void Info_SetValueForKey_Big( char *s, const char *key, const char *value ) { Com_sprintf (newi, sizeof(newi), "\\%s\\%s", key, value); - if (strlen(newi) + strlen(s) > BIG_INFO_STRING) + if (strlen(newi) + strlen(s) >= BIG_INFO_STRING) { Com_Printf ("BIG Info string length exceeded\n"); return; diff --git a/code/q3_ui/ui_players.c b/code/q3_ui/ui_players.c index 547fa97..b1462b8 100644 --- a/code/q3_ui/ui_players.c +++ b/code/q3_ui/ui_players.c @@ -943,6 +943,7 @@ static qboolean UI_ParseAnimationFile( const char *filename, animation_t *animat } if ( len >= ( sizeof( text ) - 1 ) ) { Com_Printf( "File %s too long\n", filename ); + trap_FS_FCloseFile( f ); return qfalse; } trap_FS_Read( text, len, f ); diff --git a/code/qcommon/files.c b/code/qcommon/files.c index 47e2160..3537fff 100644 --- a/code/qcommon/files.c +++ b/code/qcommon/files.c @@ -950,11 +950,11 @@ qboolean FS_FilenameCompare( const char *s1, const char *s2 ) { } if (c1 != c2) { - return -1; // strings not equal + return qtrue; // strings not equal } } while (c1); - return 0; // strings are equal + return qfalse; // strings are equal } /* diff --git a/code/server/sv_main.c b/code/server/sv_main.c index 0d3f96c..2804a52 100644 --- a/code/server/sv_main.c +++ b/code/server/sv_main.c @@ -172,6 +172,14 @@ void QDECL SV_SendServerCommand(client_t *cl, const char *fmt, ...) { Q_vsnprintf ((char *)message, sizeof(message), fmt,argptr); va_end (argptr); + // Fix to http://aluigi.altervista.org/adv/q3msgboom-adv.txt + // The actual cause of the bug is probably further downstream + // and should maybe be addressed later, but this certainly + // fixes the problem for now + if ( strlen ((char *)message) > 1022 ) { + return; + } + if ( cl != NULL ) { SV_AddServerCommand( cl, (char *)message ); return; diff --git a/code/ui/ui_players.c b/code/ui/ui_players.c index b774815..a40dcaa 100644 --- a/code/ui/ui_players.c +++ b/code/ui/ui_players.c @@ -1040,6 +1040,7 @@ static qboolean UI_ParseAnimationFile( const char *filename, animation_t *animat } if ( len >= ( sizeof( text ) - 1 ) ) { Com_Printf( "File %s too long\n", filename ); + trap_FS_FCloseFile( f ); return qfalse; } trap_FS_Read( text, len, f ); |