From a679ae64e0a659e2b94ec97e688633bc1a0d041e Mon Sep 17 00:00:00 2001
From: thilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea>
Date: Sat, 6 May 2006 01:56:24 +0000
Subject: Add string length checking to function COM_StripExtension. This fixes
 the R_RemapShader buffer overflow exploit that can be found here:
 http://milw0rm.com/exploits/1750

git-svn-id: svn://svn.icculus.org/quake3/trunk@765 edf5b092-35ff-0310-97b2-ce42778d08ea
---
 code/q3_ui/ui_playermodel.c | 4 ++--
 code/q3_ui/ui_players.c     | 4 ++--
 code/q3_ui/ui_saveconfig.c  | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

(limited to 'code/q3_ui')

diff --git a/code/q3_ui/ui_playermodel.c b/code/q3_ui/ui_playermodel.c
index 009f77d..e247149 100644
--- a/code/q3_ui/ui_playermodel.c
+++ b/code/q3_ui/ui_playermodel.c
@@ -391,7 +391,7 @@ static void PlayerModel_BuildList( void )
 	int		numfiles;
 	char	dirlist[2048];
 	char	filelist[2048];
-	char	skinname[64];
+	char	skinname[MAX_QPATH];
 	char*	dirptr;
 	char*	fileptr;
 	int		i;
@@ -424,7 +424,7 @@ static void PlayerModel_BuildList( void )
 		{
 			filelen = strlen(fileptr);
 
-			COM_StripExtension(fileptr,skinname);
+			COM_StripExtension(fileptr,skinname, sizeof(skinname));
 
 			// look for icon_????
 			if (!Q_stricmpn(skinname,"icon_",5))
diff --git a/code/q3_ui/ui_players.c b/code/q3_ui/ui_players.c
index db4b438..182b5f0 100644
--- a/code/q3_ui/ui_players.c
+++ b/code/q3_ui/ui_players.c
@@ -89,13 +89,13 @@ tryagain:
 
 	if ( weaponNum == WP_MACHINEGUN || weaponNum == WP_GAUNTLET || weaponNum == WP_BFG ) {
 		strcpy( path, item->world_model[0] );
-		COM_StripExtension( path, path );
+		COM_StripExtension( path, path, sizeof(path) );
 		strcat( path, "_barrel.md3" );
 		pi->barrelModel = trap_R_RegisterModel( path );
 	}
 
 	strcpy( path, item->world_model[0] );
-	COM_StripExtension( path, path );
+	COM_StripExtension( path, path, sizeof(path) );
 	strcat( path, "_flash.md3" );
 	pi->flashModel = trap_R_RegisterModel( path );
 
diff --git a/code/q3_ui/ui_saveconfig.c b/code/q3_ui/ui_saveconfig.c
index e988463..c9f0bc2 100644
--- a/code/q3_ui/ui_saveconfig.c
+++ b/code/q3_ui/ui_saveconfig.c
@@ -85,7 +85,7 @@ static void UI_SaveConfigMenu_SaveEvent( void *ptr, int event ) {
 		return;
 	}
 
-	COM_StripExtension(saveConfig.savename.field.buffer, configname );
+	COM_StripExtension(saveConfig.savename.field.buffer, configname, sizeof(configname));
 	trap_Cmd_ExecuteText( EXEC_APPEND, va( "writeconfig %s.cfg\n", configname ) );
 	UI_PopMenu();
 }
-- 
cgit v1.2.3