From 518c81038f94b1f7d30065d4820e138c9d5823a3 Mon Sep 17 00:00:00 2001 From: Jonathan Gray Date: Tue, 7 May 2013 13:56:54 +1000 Subject: [PATCH] CVE-2005-0984 Buffer overflow in the G_Printf function CVE-2005-0984 Buffer overflow in the G_Printf function in Star Wars Jedi Knight: Jedi Academy 1.011 and earlier allows remote attackers to execute arbitrary code via a long message using commands such as (1) say and (2) tell. Luigi Auriemma jamsgbof --- codemp/cgame/cg_main.c | 8 ++++---- codemp/game/g_main.c | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/codemp/cgame/cg_main.c b/codemp/cgame/cg_main.c index cceb848..7876637 100644 --- a/codemp/cgame/cg_main.c +++ b/codemp/cgame/cg_main.c @@ -1211,7 +1211,7 @@ void QDECL CG_Printf( const char *msg, ... ) { char text[1024]; va_start (argptr, msg); - vsprintf (text, msg, argptr); + Q_vsnprintf (text, sizeof(text), msg, argptr); va_end (argptr); trap_Print( text ); @@ -1222,7 +1222,7 @@ void QDECL CG_Error( const char *msg, ... ) { char text[1024]; va_start (argptr, msg); - vsprintf (text, msg, argptr); + Q_vsnprintf (text, sizeof(text), msg, argptr); va_end (argptr); trap_Error( text ); @@ -1236,7 +1236,7 @@ void QDECL Com_Error( int level, const char *error, ... ) { char text[1024]; va_start (argptr, error); - vsprintf (text, error, argptr); + Q_vsnprintf (text, sizeof(text), error, argptr); va_end (argptr); CG_Error( "%s", text); @@ -1247,7 +1247,7 @@ void QDECL Com_Printf( const char *msg, ... ) { char text[1024]; va_start (argptr, msg); - vsprintf (text, msg, argptr); + Q_vsnprintf (text, sizeof(text), msg, argptr); va_end (argptr); CG_Printf ("%s", text); diff --git a/codemp/game/g_main.c b/codemp/game/g_main.c index 14ad529..3afecd5 100644 --- a/codemp/game/g_main.c +++ b/codemp/game/g_main.c @@ -699,7 +699,7 @@ void QDECL G_Printf( const char *fmt, ... ) { char text[1024]; va_start (argptr, fmt); - vsprintf (text, fmt, argptr); + Q_vsnprintf (text, sizeof(text), fmt, argptr); va_end (argptr); trap_Printf( text ); @@ -710,7 +710,7 @@ void QDECL G_Error( const char *fmt, ... ) { char text[1024]; va_start (argptr, fmt); - vsprintf (text, fmt, argptr); + Q_vsnprintf (text, sizeof(text), fmt, argptr); va_end (argptr); trap_Error( text ); @@ -1204,7 +1204,7 @@ void QDECL Com_Error ( int level, const char *error, ... ) { char text[1024]; va_start (argptr, error); - vsprintf (text, error, argptr); + Q_vsnprintf (text, sizeof(text), error, argptr); va_end (argptr); G_Error( "%s", text); @@ -1215,7 +1215,7 @@ void QDECL Com_Printf( const char *msg, ... ) { char text[1024]; va_start (argptr, msg); - vsprintf (text, msg, argptr); + Q_vsnprintf (text, sizeof(text), msg, argptr); va_end (argptr); G_Printf ("%s", text); @@ -2219,7 +2219,7 @@ void QDECL G_LogPrintf( const char *fmt, ... ) { Com_sprintf( string, sizeof(string), "%3i:%i%i ", min, tens, sec ); va_start( argptr, fmt ); - vsprintf( string +7 , fmt,argptr ); + Q_vsnprintf( string +7, sizeof(string) - 7, fmt,argptr ); va_end( argptr ); if ( g_dedicated.integer ) {