CVE-2005-0984 Buffer overflow in the G_Printf function

CVE-2005-0984
Buffer overflow in the G_Printf function in Star Wars Jedi Knight:
Jedi Academy 1.011 and earlier allows remote attackers to execute
arbitrary code via a long message using commands such as (1) say and
(2) tell.

Luigi Auriemma jamsgbof
This commit is contained in:
Jonathan Gray 2013-05-07 13:56:54 +10:00
parent 5ae4da05a7
commit 518c81038f
2 changed files with 9 additions and 9 deletions

View file

@ -1211,7 +1211,7 @@ void QDECL CG_Printf( const char *msg, ... ) {
char text[1024];
va_start (argptr, msg);
vsprintf (text, msg, argptr);
Q_vsnprintf (text, sizeof(text), msg, argptr);
va_end (argptr);
trap_Print( text );
@ -1222,7 +1222,7 @@ void QDECL CG_Error( const char *msg, ... ) {
char text[1024];
va_start (argptr, msg);
vsprintf (text, msg, argptr);
Q_vsnprintf (text, sizeof(text), msg, argptr);
va_end (argptr);
trap_Error( text );
@ -1236,7 +1236,7 @@ void QDECL Com_Error( int level, const char *error, ... ) {
char text[1024];
va_start (argptr, error);
vsprintf (text, error, argptr);
Q_vsnprintf (text, sizeof(text), error, argptr);
va_end (argptr);
CG_Error( "%s", text);
@ -1247,7 +1247,7 @@ void QDECL Com_Printf( const char *msg, ... ) {
char text[1024];
va_start (argptr, msg);
vsprintf (text, msg, argptr);
Q_vsnprintf (text, sizeof(text), msg, argptr);
va_end (argptr);
CG_Printf ("%s", text);

View file

@ -699,7 +699,7 @@ void QDECL G_Printf( const char *fmt, ... ) {
char text[1024];
va_start (argptr, fmt);
vsprintf (text, fmt, argptr);
Q_vsnprintf (text, sizeof(text), fmt, argptr);
va_end (argptr);
trap_Printf( text );
@ -710,7 +710,7 @@ void QDECL G_Error( const char *fmt, ... ) {
char text[1024];
va_start (argptr, fmt);
vsprintf (text, fmt, argptr);
Q_vsnprintf (text, sizeof(text), fmt, argptr);
va_end (argptr);
trap_Error( text );
@ -1204,7 +1204,7 @@ void QDECL Com_Error ( int level, const char *error, ... ) {
char text[1024];
va_start (argptr, error);
vsprintf (text, error, argptr);
Q_vsnprintf (text, sizeof(text), error, argptr);
va_end (argptr);
G_Error( "%s", text);
@ -1215,7 +1215,7 @@ void QDECL Com_Printf( const char *msg, ... ) {
char text[1024];
va_start (argptr, msg);
vsprintf (text, msg, argptr);
Q_vsnprintf (text, sizeof(text), msg, argptr);
va_end (argptr);
G_Printf ("%s", text);
@ -2219,7 +2219,7 @@ void QDECL G_LogPrintf( const char *fmt, ... ) {
Com_sprintf( string, sizeof(string), "%3i:%i%i ", min, tens, sec );
va_start( argptr, fmt );
vsprintf( string +7 , fmt,argptr );
Q_vsnprintf( string +7, sizeof(string) - 7, fmt,argptr );
va_end( argptr );
if ( g_dedicated.integer ) {