From 847d6004693ad11123ab068aabd233880aafc7ef Mon Sep 17 00:00:00 2001 From: thilo Date: Tue, 6 Oct 2009 14:28:50 +0000 Subject: Fix memory overwrite when client has too many maps. Thanks to beast for the reporting & the patch. http://bugzilla.icculus.org/process_bug.cgi git-svn-id: svn://svn.icculus.org/quake3/trunk@1646 edf5b092-35ff-0310-97b2-ce42778d08ea --- code/q3_ui/ui_gameinfo.c | 4 +-- code/q3_ui/ui_startserver.c | 80 ++++++++++++++++++++++++--------------------- 2 files changed, 44 insertions(+), 40 deletions(-) diff --git a/code/q3_ui/ui_gameinfo.c b/code/q3_ui/ui_gameinfo.c index be0497b..d9deacd 100644 --- a/code/q3_ui/ui_gameinfo.c +++ b/code/q3_ui/ui_gameinfo.c @@ -169,7 +169,7 @@ static void UI_LoadArenas( void ) { int numdirs; vmCvar_t arenasFile; char filename[128]; - char dirlist[1024]; + char dirlist[2048]; char* dirptr; int i, n; int dirlen; @@ -188,7 +188,7 @@ static void UI_LoadArenas( void ) { } // get all arenas from .arena files - numdirs = trap_FS_GetFileList("scripts", ".arena", dirlist, 1024 ); + numdirs = trap_FS_GetFileList("scripts", ".arena", dirlist, 2048 ); dirptr = dirlist; for (i = 0; i < numdirs; i++, dirptr += dirlen+1) { dirlen = strlen(dirptr); diff --git a/code/q3_ui/ui_startserver.c b/code/q3_ui/ui_startserver.c index 2c56a10..c5745d1 100644 --- a/code/q3_ui/ui_startserver.c +++ b/code/q3_ui/ui_startserver.c @@ -50,12 +50,8 @@ START SERVER MENU ***** #define MAX_MAPROWS 2 #define MAX_MAPCOLS 2 #define MAX_MAPSPERPAGE 4 - -#define MAX_SERVERSTEXT 8192 - -#define MAX_SERVERMAPS 64 + #define MAX_NAMELENGTH 16 - #define ID_GAMETYPE 10 #define ID_PICTURES 11 // 12, 13, 14 #define ID_PREVPAGE 15 @@ -87,8 +83,7 @@ typedef struct { int nummaps; int page; int maxpages; - char maplist[MAX_SERVERMAPS][MAX_NAMELENGTH]; - int mapGamebits[MAX_SERVERMAPS]; + int maplist[MAX_ARENAS]; } startserver_t; static startserver_t s_startserver; @@ -166,16 +161,22 @@ StartServer_Update static void StartServer_Update( void ) { int i; int top; - static char picname[MAX_MAPSPERPAGE][64]; + static char picname[MAX_MAPSPERPAGE][64]; + const char *info; + char mapname[MAX_NAMELENGTH]; top = s_startserver.page*MAX_MAPSPERPAGE; for (i=0; i= s_startserver.nummaps) - break; - - Com_sprintf( picname[i], sizeof(picname[i]), "levelshots/%s", s_startserver.maplist[top+i] ); + break; + + info = UI_GetArenaInfoByNumber( s_startserver.maplist[ top + i ]); + Q_strncpyz( mapname, Info_ValueForKey( info, "map"), MAX_NAMELENGTH ); + Q_strupr( mapname ); + + Com_sprintf( picname[i], sizeof(picname[i]), "levelshots/%s", mapname ); s_startserver.mappics[i].generic.flags &= ~QMF_HIGHLIGHT; s_startserver.mappics[i].generic.name = picname[i]; @@ -216,7 +217,8 @@ static void StartServer_Update( void ) { } // set the map name - strcpy( s_startserver.mapname.string, s_startserver.maplist[s_startserver.currentmap] ); + info = UI_GetArenaInfoByNumber( s_startserver.maplist[ s_startserver.currentmap ]); + Q_strncpyz( s_startserver.mapname.string, Info_ValueForKey( info, "map" ), MAX_NAMELENGTH); } Q_strupr( s_startserver.mapname.string ); @@ -249,7 +251,7 @@ static void StartServer_GametypeEvent( void* ptr, int event ) { int gamebits; int matchbits; const char *info; - + if( event != QM_ACTIVATED) { return; } @@ -259,18 +261,16 @@ static void StartServer_GametypeEvent( void* ptr, int event ) { matchbits = 1 << gametype_remap[s_startserver.gametype.curvalue]; if( gametype_remap[s_startserver.gametype.curvalue] == GT_FFA ) { matchbits |= ( 1 << GT_SINGLE_PLAYER ); - } + } for( i = 0; i < count; i++ ) { - info = UI_GetArenaInfoByNumber( i ); - + info = UI_GetArenaInfoByNumber( i ); + gamebits = GametypeBits( Info_ValueForKey( info, "type") ); if( !( gamebits & matchbits ) ) { continue; } - - Q_strncpyz( s_startserver.maplist[s_startserver.nummaps], Info_ValueForKey( info, "map"), MAX_NAMELENGTH ); - Q_strupr( s_startserver.maplist[s_startserver.nummaps] ); - s_startserver.mapGamebits[s_startserver.nummaps] = gamebits; + + s_startserver.maplist[ s_startserver.nummaps ] = i; s_startserver.nummaps++; } s_startserver.maxpages = (s_startserver.nummaps + MAX_MAPSPERPAGE-1)/MAX_MAPSPERPAGE; @@ -330,6 +330,7 @@ static void StartServer_LevelshotDraw( void *self ) { int w; int h; int n; + const char *info; b = (menubitmap_s *)self; @@ -363,7 +364,9 @@ static void StartServer_LevelshotDraw( void *self ) { x += b->width / 2; y += 4; n = s_startserver.page * MAX_MAPSPERPAGE + b->generic.id - ID_PICTURES; - UI_DrawString( x, y, s_startserver.maplist[n], UI_CENTER|UI_SMALLFONT, color_orange ); + + info = UI_GetArenaInfoByNumber( s_startserver.maplist[ n ]); + UI_DrawString( x, y, Info_ValueForKey( info, "map" ), UI_CENTER|UI_SMALLFONT, color_orange ); x = b->generic.x; y = b->generic.y; @@ -556,6 +559,7 @@ void StartServer_Cache( void ) const char *info; qboolean precache; char picname[64]; + char mapname[ MAX_NAMELENGTH ]; trap_R_RegisterShaderNoMip( GAMESERVER_BACK0 ); trap_R_RegisterShaderNoMip( GAMESERVER_BACK1 ); @@ -572,22 +576,16 @@ void StartServer_Cache( void ) precache = trap_Cvar_VariableValue("com_buildscript"); - s_startserver.nummaps = UI_GetNumArenas(); - - for( i = 0; i < s_startserver.nummaps; i++ ) { - info = UI_GetArenaInfoByNumber( i ); - - Q_strncpyz( s_startserver.maplist[i], Info_ValueForKey( info, "map"), MAX_NAMELENGTH ); - Q_strupr( s_startserver.maplist[i] ); - s_startserver.mapGamebits[i] = GametypeBits( Info_ValueForKey( info, "type") ); - - if( precache ) { - Com_sprintf( picname, sizeof(picname), "levelshots/%s", s_startserver.maplist[i] ); + if( precache ) { + for( i = 0; i < UI_GetNumArenas(); i++ ) { + info = UI_GetArenaInfoByNumber( i ); + Q_strncpyz( mapname, Info_ValueForKey( info, "map"), MAX_NAMELENGTH ); + Q_strupr( mapname ); + + Com_sprintf( picname, sizeof(picname), "levelshots/%s", mapname ); trap_R_RegisterShaderNoMip(picname); } } - - s_startserver.maxpages = (s_startserver.nummaps + MAX_MAPSPERPAGE-1)/MAX_MAPSPERPAGE; } @@ -732,7 +730,7 @@ static void ServerOptions_Start( void ) { int skill; int n; char buf[64]; - + const char *info; timelimit = atoi( s_serveroptions.timelimit.field.buffer ); fraglimit = atoi( s_serveroptions.fraglimit.field.buffer ); @@ -790,7 +788,8 @@ static void ServerOptions_Start( void ) { trap_Cvar_SetValue( "sv_punkbuster", s_serveroptions.punkbuster.curvalue ); // the wait commands will allow the dedicated to take effect - trap_Cmd_ExecuteText( EXEC_APPEND, va( "wait ; wait ; map %s\n", s_startserver.maplist[s_startserver.currentmap] ) ); + info = UI_GetArenaInfoByNumber( s_startserver.maplist[ s_startserver.currentmap ]); + trap_Cmd_ExecuteText( EXEC_APPEND, va( "wait ; wait ; map %s\n", Info_ValueForKey( info, "map" ))); // add bots trap_Cmd_ExecuteText( EXEC_APPEND, "wait 3\n" ); @@ -1128,7 +1127,9 @@ ServerOptions_SetMenuItems ================= */ static void ServerOptions_SetMenuItems( void ) { - static char picname[64]; + static char picname[64]; + char mapname[MAX_NAMELENGTH]; + const char *info; switch( s_serveroptions.gametype ) { case GT_FFA: @@ -1159,7 +1160,10 @@ static void ServerOptions_SetMenuItems( void ) { s_serveroptions.pure.curvalue = Com_Clamp( 0, 1, trap_Cvar_VariableValue( "sv_pure" ) ); // set the map pic - Com_sprintf( picname, 64, "levelshots/%s", s_startserver.maplist[s_startserver.currentmap] ); + info = UI_GetArenaInfoByNumber( s_startserver.maplist[ s_startserver.currentmap ]); + Q_strncpyz( mapname, Info_ValueForKey( info, "map"), MAX_NAMELENGTH ); + Q_strupr( mapname ); + Com_sprintf( picname, 64, "levelshots/%s", mapname ); s_serveroptions.mappic.generic.name = picname; // set the map name -- cgit v1.2.3