From a679ae64e0a659e2b94ec97e688633bc1a0d041e Mon Sep 17 00:00:00 2001 From: thilo Date: Sat, 6 May 2006 01:56:24 +0000 Subject: Add string length checking to function COM_StripExtension. This fixes the R_RemapShader buffer overflow exploit that can be found here: http://milw0rm.com/exploits/1750 git-svn-id: svn://svn.icculus.org/quake3/trunk@765 edf5b092-35ff-0310-97b2-ce42778d08ea --- code/ui/ui_main.c | 4 ++-- code/ui/ui_players.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'code/ui') diff --git a/code/ui/ui_main.c b/code/ui/ui_main.c index c1af0ed..95d2c34 100644 --- a/code/ui/ui_main.c +++ b/code/ui/ui_main.c @@ -4958,7 +4958,7 @@ static void UI_BuildQ3Model_List( void ) int numfiles; char dirlist[2048]; char filelist[2048]; - char skinname[64]; + char skinname[MAX_QPATH]; char scratch[256]; char* dirptr; char* fileptr; @@ -4988,7 +4988,7 @@ static void UI_BuildQ3Model_List( void ) { filelen = strlen(fileptr); - COM_StripExtension(fileptr,skinname); + COM_StripExtension(fileptr, skinname, sizeof(skinname)); // look for icon_???? if (Q_stricmpn(skinname, "icon_", 5) == 0 && !(Q_stricmp(skinname,"icon_blue") == 0 || Q_stricmp(skinname,"icon_red") == 0)) diff --git a/code/ui/ui_players.c b/code/ui/ui_players.c index c164327..b09fb32 100644 --- a/code/ui/ui_players.c +++ b/code/ui/ui_players.c @@ -90,13 +90,13 @@ tryagain: if ( weaponNum == WP_MACHINEGUN || weaponNum == WP_GAUNTLET || weaponNum == WP_BFG ) { strcpy( path, item->world_model[0] ); - COM_StripExtension( path, path ); + COM_StripExtension(path, path, sizeof(path)); strcat( path, "_barrel.md3" ); pi->barrelModel = trap_R_RegisterModel( path ); } strcpy( path, item->world_model[0] ); - COM_StripExtension( path, path ); + COM_StripExtension(path, path, sizeof(path)); strcat( path, "_flash.md3" ); pi->flashModel = trap_R_RegisterModel( path ); -- cgit v1.2.3