From 8fc8601e0bcfb190aa378bc462a405ef41567e06 Mon Sep 17 00:00:00 2001 From: Jonathan Gray Date: Tue, 7 May 2013 01:25:34 +1000 Subject: [PATCH] CVE-2005-0430 Fixed q3infoboom CVE-2005-0430 The Quake 3 engine, as used in multiple game packages, allows remote attackers to cause a denial of service (shutdown game server) and possibly crash the server via a long infostring, possibly triggering a buffer overflow. Luigi Auriemma q3infoboom from Tim Angus in ioquake3 svn 95 git 33a48a0336865a9d21983e4836920cd9f3401101 It looks as if the q3infoboom bug has already been fixed in ioQ3 in a different way, though this patch addresses the cause. The existing fix should stay since it's a sensible sanity check anyway. from http://www.quakesrc.org/forums/viewtopic.php?t=5374 --- codemp/game/q_shared.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/codemp/game/q_shared.c b/codemp/game/q_shared.c index 7a96921..079a9e9 100644 --- a/codemp/game/q_shared.c +++ b/codemp/game/q_shared.c @@ -1346,7 +1346,7 @@ void Info_SetValueForKey( char *s, const char *key, const char *value ) { Com_sprintf (newi, sizeof(newi), "\\%s\\%s", key, value); - if (strlen(newi) + strlen(s) > MAX_INFO_STRING) + if (strlen(newi) + strlen(s) >= MAX_INFO_STRING) { Com_Printf ("Info string length exceeded\n"); return; @@ -1394,7 +1394,7 @@ void Info_SetValueForKey_Big( char *s, const char *key, const char *value ) { Com_sprintf (newi, sizeof(newi), "\\%s\\%s", key, value); - if (strlen(newi) + strlen(s) > BIG_INFO_STRING) + if (strlen(newi) + strlen(s) >= BIG_INFO_STRING) { Com_Printf ("BIG Info string length exceeded\n"); return;