From 66e0e31b574f434f82686d6f9c0783ccae553a9a Mon Sep 17 00:00:00 2001 From: "Zephaniah E. Hull" Date: Tue, 5 Dec 2000 11:08:30 +0000 Subject: [PATCH] strcat -> strncat sprintf -> snprintf AKA, really big buffer overflow security fixes. More to come, geez we have holes everywhere. --- source/cl_cam.c | 2 +- source/cl_main.c | 10 +++++----- source/cl_parse.c | 2 +- source/cl_sys_win.c | 2 +- source/cmd.c | 10 +++++----- source/console.c | 4 ++-- source/cvar.c | 2 +- source/gl_mesh.c | 2 +- source/gl_model_brush.c | 2 +- source/gl_ngraph.c | 2 +- source/gl_screen.c | 4 ++-- source/keys.c | 4 ++-- source/locs.c | 3 --- source/model_alias.c | 2 +- source/net_udp.c | 4 ++-- source/pr_cmds.c | 12 +++++------ source/pr_edict.c | 44 ++++++++++++++++++++--------------------- source/qargs.c | 2 +- source/quakefs.c | 2 +- source/quakeio.c | 2 +- source/r_misc.c | 2 +- source/sbar.c | 26 ++++++++++++------------ source/screen.c | 4 ++-- source/snd_dma.c | 4 ++-- source/snd_mem.c | 2 +- source/sv_ccmds.c | 4 ++-- source/sv_main.c | 4 ++-- source/sv_send.c | 2 +- source/sv_user.c | 4 ++-- 29 files changed, 83 insertions(+), 86 deletions(-) diff --git a/source/cl_cam.c b/source/cl_cam.c index a977287..c858811 100644 --- a/source/cl_cam.c +++ b/source/cl_cam.c @@ -148,7 +148,7 @@ void Cam_Lock(int playernum) { char st[40]; - sprintf(st, "ptrack %i", playernum); + snprintf(st, sizeof(st), "ptrack %i", playernum); MSG_WriteByte (&cls.netchan.message, clc_stringcmd); MSG_WriteString (&cls.netchan.message, st); spec_track = playernum; diff --git a/source/cl_main.c b/source/cl_main.c index f8c92b3..bb1e0aa 100644 --- a/source/cl_main.c +++ b/source/cl_main.c @@ -328,7 +328,7 @@ void CL_CheckForResend (void) VID_SetCaption (va ("Connecting to %s", cls.servername)); Con_Printf ("Connecting to %s...\n", cls.servername); - sprintf (data, "%c%c%c%cgetchallenge\n", 255, 255, 255, 255); + snprintf (data, sizeof(data), "%c%c%c%cgetchallenge\n", 255, 255, 255, 255); NET_SendPacket (strlen(data), data, adr); } @@ -596,9 +596,9 @@ void CL_Color_f (void) if (bottom > 13) bottom = 13; - sprintf (num, "%i", top); + snprintf (num, sizeof(num), "%i", top); Cvar_Set (topcolor, num); - sprintf (num, "%i", bottom); + snprintf (num, sizeof(num), "%i", bottom); Cvar_Set (bottomcolor, num); } @@ -1171,8 +1171,8 @@ void CL_Init (void) Info_SetValueForKey (cls.userinfo, "bottomcolor", "0", MAX_INFO_STRING); Info_SetValueForKey (cls.userinfo, "rate", "2500", MAX_INFO_STRING); Info_SetValueForKey (cls.userinfo, "msg", "1", MAX_INFO_STRING); -// sprintf (st, "%s-%04d", QW_VERSION, build_number()); - sprintf (st, "%s", QW_VERSION); +// snprintf (st, sizeof(st), "%s-%04d", QW_VERSION, build_number()); + snprintf (st, sizeof(st), "%s", QW_VERSION); Info_SetValueForStarKey (cls.userinfo, "*ver", st, MAX_INFO_STRING); Info_SetValueForStarKey (cls.userinfo, "stdver", QSG_VERSION, MAX_INFO_STRING); diff --git a/source/cl_parse.c b/source/cl_parse.c index 5933642..cd2e72e 100644 --- a/source/cl_parse.c +++ b/source/cl_parse.c @@ -231,7 +231,7 @@ qboolean CL_CheckOrDownloadFile (char *filename) // to the real name when done, so if interrupted // a runt file wont be left COM_StripExtension (cls.downloadname, cls.downloadtempname); - strcat (cls.downloadtempname, ".tmp"); + strncat (cls.downloadtempname, ".tmp", sizeof(cls.downloadtempname)); MSG_WriteByte (&cls.netchan.message, clc_stringcmd); MSG_WriteString (&cls.netchan.message, va("download %s", cls.downloadname)); diff --git a/source/cl_sys_win.c b/source/cl_sys_win.c index 066a84f..e27de32 100644 --- a/source/cl_sys_win.c +++ b/source/cl_sys_win.c @@ -331,7 +331,7 @@ char *Sys_ConsoleInput (void) if (i>0) { textCopied[i]=0; text[len]=0; - strcat(text, textCopied); + strncat (text, textCopied, sizeof(text)); len+=dummy; WriteFile(houtput, textCopied, i, &dummy, NULL); } diff --git a/source/cmd.c b/source/cmd.c index 502de54..63219c7 100644 --- a/source/cmd.c +++ b/source/cmd.c @@ -317,8 +317,8 @@ void Cmd_StuffCmds_f (void) c = com_cmdline[j]; com_cmdline[j] = 0; - strcat (build, com_cmdline+i); - strcat (build, "\n"); + strncat (build, com_cmdline+i, sizeof(build)); + strncat (build, "\n", sizeof(build)); com_cmdline[j] = c; i = j-1; } @@ -473,11 +473,11 @@ void Cmd_Alias_f (void) c = Cmd_Argc(); for (i=2 ; i< c ; i++) { - strcat (cmd, Cmd_Argv(i)); + strncat (cmd, Cmd_Argv(i), sizeof(cmd)); if (i != c) - strcat (cmd, " "); + strncat (cmd, " ", sizeof(cmd)); } - strcat (cmd, "\n"); + strncat (cmd, "\n", sizeof(cmd)); a->value = CopyString (cmd); } diff --git a/source/console.c b/source/console.c index 39a63a9..4f28eef 100644 --- a/source/console.c +++ b/source/console.c @@ -620,10 +620,10 @@ void Con_DrawConsole (int lines) y = x - i - 11; strncpy(dlbar, text, i); dlbar[i] = 0; - strcat(dlbar, "..."); + strncat (dlbar, "...", sizeof(dlbar)); } else strcpy(dlbar, text); - strcat(dlbar, ": "); + strncat (dlbar, ": ", sizeof(dlbar)); i = strlen(dlbar); dlbar[i++] = '\x80'; // where's the dot go? diff --git a/source/cvar.c b/source/cvar.c index 53f6565..7d5fb0a 100644 --- a/source/cvar.c +++ b/source/cvar.c @@ -241,7 +241,7 @@ void Cvar_SetValue (cvar_t *var, float value) char val[32]; int i; - sprintf (val, "%f", value); + snprintf (val, sizeof(val), "%f", value); for (i=strlen(val)-1 ; i>0 && val[i]=='0' && val[i-1]!='.' ; i--) { val[i] = 0; diff --git a/source/gl_mesh.c b/source/gl_mesh.c index 218a691..c4d47a0 100644 --- a/source/gl_mesh.c +++ b/source/gl_mesh.c @@ -329,7 +329,7 @@ void GL_MakeAliasModelDisplayLists (model_t *m, aliashdr_t *hdr) // strcpy (cache, "glquake/"); COM_StripExtension (m->name+strlen("progs/"), cache+strlen("glquake/")); - strcat (cache, ".ms2"); + strncat (cache, ".ms2", sizeof(cache)); COM_FOpenFile (cache, &f); if (f) diff --git a/source/gl_model_brush.c b/source/gl_model_brush.c index 4d86f35..5af3fe4 100644 --- a/source/gl_model_brush.c +++ b/source/gl_model_brush.c @@ -79,7 +79,7 @@ void Mod_LoadLighting (lump_t *l) strcpy(litfilename, loadmodel->name); COM_StripExtension(litfilename, litfilename); - strcat(litfilename, ".lit"); + strncat (litfilename, ".lit", sizeof(litfilename)); loadmodel->lightdata = (byte*) COM_LoadHunkFile (litfilename); if (!loadmodel->lightdata) // expand the white lighting data diff --git a/source/gl_ngraph.c b/source/gl_ngraph.c index 520ce06..3919ab9 100644 --- a/source/gl_ngraph.c +++ b/source/gl_ngraph.c @@ -146,7 +146,7 @@ void R_NetGraph (void) M_DrawTextBox (x, y, NET_TIMINGS/8, NET_GRAPHHEIGHT/8 + 1); y += 8; - sprintf(st, "%3i%% packet loss", lost); + snprintf(st, sizeof(st), "%3i%% packet loss", lost); Draw_String8 (8, y, st); y += 8; diff --git a/source/gl_screen.c b/source/gl_screen.c index ff9af5b..28bc287 100644 --- a/source/gl_screen.c +++ b/source/gl_screen.c @@ -474,7 +474,7 @@ void SCR_DrawFPS (void) lastframetime = t; } /* Misty: I really do need to read about sprintf a bit. This thing keeps chewing on my foot! */ - sprintf(st, "%-3d FPS", lastfps); + snprintf(st, sizeof(st), "%-3d FPS", lastfps); /* Misty: New trick! (for me) the ? makes this work like a if then else - IE: if cl_hudswap->int_val is not null, do first case, else (else is a : here) do second case. Deek taught me this trick */ @@ -511,7 +511,7 @@ void SCR_DrawTime (void) } /* now actually print it to the screen directly below where show_fps is */ - sprintf (st, "%s", local_time); + snprintf (st, sizeof(st), "%s", local_time); x = cl_hudswap->int_val ? vid.width - ((strlen (st) * 8) + 8) : 8; y = vid.height - sb_lines - 16; Draw_String8 (x, y, st); diff --git a/source/keys.c b/source/keys.c index 8c6dab5..1b91000 100644 --- a/source/keys.c +++ b/source/keys.c @@ -659,9 +659,9 @@ Key_Bind_f ( void ) cmd[0] = 0; // start out with a null string for (i=2 ; i< c ; i++) { - strcat (cmd, Cmd_Argv(i)); + strncat (cmd, Cmd_Argv(i), sizeof(cmd)); if (i != (c-1)) - strcat (cmd, " "); + strncat (cmd, " ", sizeof(cmd)); } Key_SetBinding (b, cmd); diff --git a/source/locs.c b/source/locs.c index 6b34c2f..c873cdf 100644 --- a/source/locs.c +++ b/source/locs.c @@ -31,9 +31,6 @@ #endif #include -#ifndef WIN32 -#include -#endif #include #include "client.h" diff --git a/source/model_alias.c b/source/model_alias.c index f9f2c93..ee3d35e 100644 --- a/source/model_alias.c +++ b/source/model_alias.c @@ -108,7 +108,7 @@ void Mod_LoadAliasModel (model_t *mod, void *buffer) for (len = com_filesize, p = buffer; len; len--, p++) CRC_ProcessByte(&crc, *p); - sprintf(st, "%d", (int) crc); + snprintf(st, sizeof(st), "%d", (int) crc); Info_SetValueForKey (cls.userinfo, !strcmp(loadmodel->name, "progs/player.mdl") ? pmodel_name : emodel_name, st, MAX_INFO_STRING); diff --git a/source/net_udp.c b/source/net_udp.c index 9c0f2ad..abc93cc 100644 --- a/source/net_udp.c +++ b/source/net_udp.c @@ -140,7 +140,7 @@ char *NET_AdrToString (netadr_t a) { static char s[64]; - sprintf (s, "%i.%i.%i.%i:%i", a.ip[0], a.ip[1], a.ip[2], a.ip[3], ntohs(a.port)); + snprintf (s, sizeof(s), "%i.%i.%i.%i:%i", a.ip[0], a.ip[1], a.ip[2], a.ip[3], ntohs(a.port)); return s; } @@ -149,7 +149,7 @@ char *NET_BaseAdrToString (netadr_t a) { static char s[64]; - sprintf (s, "%i.%i.%i.%i", a.ip[0], a.ip[1], a.ip[2], a.ip[3]); + snprintf (s, sizeof(s), "%i.%i.%i.%i", a.ip[0], a.ip[1], a.ip[2], a.ip[3]); return s; } diff --git a/source/pr_cmds.c b/source/pr_cmds.c index e5cec22..6bede00 100644 --- a/source/pr_cmds.c +++ b/source/pr_cmds.c @@ -65,7 +65,7 @@ char *PF_VarString (int first) out[0] = 0; for (i=first ; istufftext_buf; if (strlen(buf) + strlen(str) >= MAX_STUFFTEXT) PR_RunError ("stufftext buffer overflow"); - strcat (buf, str); + strncat (buf, str, sizeof(buf)); for (i = strlen(buf); i >= 0; i--) { @@ -864,11 +864,11 @@ void PF_ftos (void) v = G_FLOAT(OFS_PARM0); if (v == (int)v) - sprintf (pr_string_temp, "%d",(int)v); + snprintf (pr_string_temp, sizeof(pr_string_temp), "%d",(int)v); else // 1999-07-25 FTOS fix by Maddes start { - sprintf (pr_string_temp, "%1f", v); + snprintf (pr_string_temp, sizeof(pr_string_temp), "%1f", v); for (i=strlen(pr_string_temp)-1 ; i>0 && pr_string_temp[i]=='0' && pr_string_temp[i-1]!='.' ; i--) { pr_string_temp[i] = 0; @@ -887,7 +887,7 @@ void PF_fabs (void) void PF_vtos (void) { - sprintf (pr_string_temp, "'%5.1f %5.1f %5.1f'", G_VECTOR(OFS_PARM0)[0], G_VECTOR(OFS_PARM0)[1], G_VECTOR(OFS_PARM0)[2]); + snprintf (pr_string_temp, sizeof(pr_string_temp), "'%5.1f %5.1f %5.1f'", G_VECTOR(OFS_PARM0)[0], G_VECTOR(OFS_PARM0)[1], G_VECTOR(OFS_PARM0)[2]); G_INT(OFS_RETURN) = PR_SetString(pr_string_temp); } @@ -1625,7 +1625,7 @@ void PF_infokey (void) value = strcpy(ov, NET_BaseAdrToString (svs.clients[e1-1].netchan.remote_address)); else if (!strcmp(key, "ping")) { int ping = SV_CalcPing (&svs.clients[e1-1]); - sprintf(ov, "%d", ping); + snprintf(ov, sizeof(ov), "%d", ping); value = ov; } else value = Info_ValueForKey (svs.clients[e1-1].userinfo, key); diff --git a/source/pr_edict.c b/source/pr_edict.c index 4ac24f0..898e1f4 100644 --- a/source/pr_edict.c +++ b/source/pr_edict.c @@ -319,7 +319,7 @@ char *PR_ValueString (etype_t type, eval_t *val) snprintf (line, sizeof(line), "%s", PR_GetString(val->string)); break; case ev_entity: - sprintf (line, "entity %i", NUM_FOR_EDICT(PROG_TO_EDICT(val->edict)) ); + snprintf (line, sizeof(line), "entity %i", NUM_FOR_EDICT(PROG_TO_EDICT(val->edict)) ); break; case ev_function: f = pr_functions + val->function; @@ -333,16 +333,16 @@ char *PR_ValueString (etype_t type, eval_t *val) strcpy (line, "void"); break; case ev_float: - sprintf (line, "%5.1f", val->_float); + snprintf (line, sizeof(line), "%5.1f", val->_float); break; case ev_vector: - sprintf (line, "'%5.1f %5.1f %5.1f'", val->vector[0], val->vector[1], val->vector[2]); + snprintf (line, sizeof(line), "'%5.1f %5.1f %5.1f'", val->vector[0], val->vector[1], val->vector[2]); break; case ev_pointer: strcpy (line, "pointer"); break; default: - sprintf (line, "bad type %i", type); + snprintf (line, sizeof(line), "bad type %i", type); break; } @@ -371,7 +371,7 @@ char *PR_UglyValueString (etype_t type, eval_t *val) snprintf (line, sizeof(line), "%s", PR_GetString(val->string)); break; case ev_entity: - sprintf (line, "%i", NUM_FOR_EDICT(PROG_TO_EDICT(val->edict))); + snprintf (line, sizeof(line), "%i", NUM_FOR_EDICT(PROG_TO_EDICT(val->edict))); break; case ev_function: f = pr_functions + val->function; @@ -385,13 +385,13 @@ char *PR_UglyValueString (etype_t type, eval_t *val) strcpy (line, "void"); break; case ev_float: - sprintf (line, "%f", val->_float); + snprintf (line, sizeof(line), "%f", val->_float); break; case ev_vector: - sprintf (line, "%f %f %f", val->vector[0], val->vector[1], val->vector[2]); + snprintf (line, sizeof(line), "%f %f %f", val->vector[0], val->vector[1], val->vector[2]); break; default: - sprintf (line, "bad type %i", type); + snprintf (line, sizeof(line), "bad type %i", type); break; } @@ -417,7 +417,7 @@ char *PR_GlobalString (int ofs) val = (void *)&pr_globals[ofs]; def = ED_GlobalAtOfs(ofs); if (!def) - sprintf (line,"%i(???)", ofs); + snprintf (line, sizeof(line), "%i(???)", ofs); else { s = PR_ValueString (def->type, val); @@ -426,8 +426,8 @@ char *PR_GlobalString (int ofs) i = strlen(line); for ( ; i<20 ; i++) - strcat (line," "); - strcat (line," "); + strncat (line, " ", sizeof(line)); + strncat (line, " ", sizeof(line)); return line; } @@ -440,14 +440,14 @@ char *PR_GlobalStringNoContents (int ofs) def = ED_GlobalAtOfs(ofs); if (!def) - sprintf (line,"%i(???)", ofs); + snprintf (line, sizeof(line), "%i(???)", ofs); else - sprintf (line,"%i(%s)", ofs, PR_GetString(def->s_name)); + snprintf (line, sizeof(line), "%i(%s)", ofs, PR_GetString(def->s_name)); i = strlen(line); for ( ; i<20 ; i++) - strcat (line," "); - strcat (line," "); + strncat (line, " ", sizeof(line)); + strncat (line, " ", sizeof(line)); return line; } @@ -898,12 +898,12 @@ char *ED_ParseEdict (char *data, edict_t *ent) continue; } -if (anglehack) -{ -char temp[32]; -strcpy (temp, com_token); -sprintf (com_token, "0 %s 0", temp); -} + if (anglehack) + { + char temp[32]; + strcpy (temp, com_token); + snprintf (com_token, sizeof(com_token), "0 %s 0", temp); + } if (!ED_ParseEpair ((void *)&ent->v, key, com_token)) SV_Error ("ED_ParseEdict: parse error"); @@ -1019,7 +1019,7 @@ void PR_LoadProgs (void) Con_DPrintf ("Programs occupy %iK.\n", com_filesize/1024); // add prog crc to the serverinfo - sprintf (num, "%i", CRC_Block ((byte *)progs, com_filesize)); + snprintf (num, sizeof(num), "%i", CRC_Block ((byte *)progs, com_filesize)); Info_SetValueForStarKey (svs.info, "*progs", num, MAX_SERVERINFO_STRING); // byte swap the header diff --git a/source/qargs.c b/source/qargs.c index 2bb884d..cdbe11e 100644 --- a/source/qargs.c +++ b/source/qargs.c @@ -115,7 +115,7 @@ void COM_InitArgv (int argc, char **argv) { strncat (com_cmdline, argv[i], len); assert(len - strlen(com_cmdline) > 0); - strcat (com_cmdline, " "); + strncat (com_cmdline, " ", sizeof(com_cmdline)); } com_cmdline[len - 1] = '\0'; } diff --git a/source/quakefs.c b/source/quakefs.c index 05e75e0..6307fc5 100644 --- a/source/quakefs.c +++ b/source/quakefs.c @@ -1145,5 +1145,5 @@ void COM_DefaultExtension (char *path, char *extension) src--; } - strcat (path, extension); + strncat (path, extension, sizeof(path)); } diff --git a/source/quakeio.c b/source/quakeio.c index 8138f4f..ddb4044 100644 --- a/source/quakeio.c +++ b/source/quakeio.c @@ -82,7 +82,7 @@ Qexpand_squiggle(const char *path, char *dest) if (home) { strcpy (dest, home); - strcat (dest, path+1); // skip leading ~ + strncat (dest, path+1, sizeof(dest)); // skip leading ~ } else strcpy (dest,path); } diff --git a/source/r_misc.c b/source/r_misc.c index 574a691..edec086 100644 --- a/source/r_misc.c +++ b/source/r_misc.c @@ -259,7 +259,7 @@ void R_NetGraph (void) i = (cls.netchan.outgoing_sequence-a) & NET_TIMINGSMASK; R_LineGraph (x+w-1-a, y, packet_latency[i]); } - sprintf(st, "%3i%% packet loss", lost); + snprintf(st, sizeof(st), "%3i%% packet loss", lost); Draw_String8 (8, y2, st); } diff --git a/source/sbar.c b/source/sbar.c index d71827b..f4dffb8 100644 --- a/source/sbar.c +++ b/source/sbar.c @@ -506,7 +506,7 @@ void Sbar_SoloScoreboard (void) seconds = cl.time - 60*minutes; tens = seconds / 10; units = seconds - 10*tens; - sprintf (str,"Time :%3i:%i%i", minutes, tens, units); + snprintf (str, sizeof(str),"Time :%3i:%i%i", minutes, tens, units); Sbar_DrawString (184, 4, str); } @@ -566,7 +566,7 @@ void Sbar_DrawInventory (void) // ammo counts for (i=0 ; i<4 ; i++) { - sprintf (num, "%3i",cl.stats[STAT_SHELLS+i] ); + snprintf (num, sizeof(num), "%3i",cl.stats[STAT_SHELLS+i] ); if (headsup) { // Sbar_DrawSubPic(3, -24, sb_ibar, 3, 0, 42,11); Sbar_DrawSubPic((hudswap) ? 0 : (vid.width-42), -24 - (4-i)*11, sb_ibar, 3+(i*48), 0, 42, 11); @@ -667,7 +667,7 @@ void Sbar_DrawFrags (void) // draw number f = s->frags; - sprintf (num, "%3i",f); + snprintf (num, sizeof(num), "%3i",f); Sbar_DrawCharacter ( (x+1)*8 , -24, num[0]); Sbar_DrawCharacter ( (x+2)*8 , -24, num[1]); @@ -826,7 +826,7 @@ void Sbar_Draw (void) Sbar_DrawNormal (); // Sbar_DrawString (160-14*8+4,4, "SPECTATOR MODE - TRACK CAMERA"); - sprintf(st, "Tracking %-.13s, [JUMP] for next", + snprintf (st, sizeof(st), "Tracking %-.13s, [JUMP] for next", cl.players[spec_track].name); Sbar_DrawString(0, -8, st); } @@ -959,7 +959,7 @@ void Sbar_TeamOverlay (void) if (pavg < 0 || pavg > 999) pavg = 999; - sprintf (num, "%3i/%3i/%3i", plow, pavg, phigh); + snprintf (num, sizeof(num), "%3i/%3i/%3i", plow, pavg, phigh); Draw_String8 ( x, y, num); // draw team @@ -968,11 +968,11 @@ void Sbar_TeamOverlay (void) Draw_String8 (x + 104, y, team); // draw total - sprintf (num, "%5i", tm->frags); + snprintf (num, sizeof(num), "%5i", tm->frags); Draw_String8 (x + 104 + 40, y, num); // draw players - sprintf (num, "%5i", tm->players); + snprintf (num, sizeof(num), "%5i", tm->players); Draw_String8 (x + 104 + 88, y, num); if (!strncmp(Info_ValueForKey(cl.players[cl.playernum].userinfo, @@ -1072,12 +1072,12 @@ void Sbar_DeathmatchOverlay (int start) p = s->ping; if (p < 0 || p > 999) p = 999; - sprintf (num, "%4i", p); + snprintf (num, sizeof(num), "%4i", p); Draw_String8 ( x, y, num); // draw pl p = s->pl; - sprintf (num, "%3i", p); + snprintf (num, sizeof(num), "%3i", p); if (p > 25) Draw_AltString8 ( x+32, y, num); else @@ -1102,7 +1102,7 @@ void Sbar_DeathmatchOverlay (int start) else total = realtime - s->entertime; minutes = (int)total/60; - sprintf (num, "%4i", minutes); + snprintf (num, sizeof(num), "%4i", minutes); Draw_String8 ( x+64 , y, num); // draw background @@ -1119,7 +1119,7 @@ void Sbar_DeathmatchOverlay (int start) // draw number f = s->frags; - sprintf (num, "%3i",f); + snprintf (num, sizeof(num), "%3i",f); Draw_Character8 ( x+112 , y, num[0]); Draw_Character8 ( x+120 , y, num[1]); @@ -1231,7 +1231,7 @@ void Sbar_MiniDeathmatchOverlay (void) // draw number f = s->frags; - sprintf (num, "%3i",f); + snprintf (num, sizeof(num), "%3i",f); Draw_Character8 ( x+8 , y, num[0]); Draw_Character8 ( x+16, y, num[1]); @@ -1285,7 +1285,7 @@ void Sbar_MiniDeathmatchOverlay (void) Draw_String8 (x, y, team); // draw total - sprintf (num, "%5i", tm->frags); + snprintf (num, sizeof(num), "%5i", tm->frags); Draw_String8 (x + 40, y, num); if (!strncmp(Info_ValueForKey(cl.players[cl.playernum].userinfo, diff --git a/source/screen.c b/source/screen.c index fa4fc87..8810b34 100644 --- a/source/screen.c +++ b/source/screen.c @@ -507,7 +507,7 @@ void SCR_DrawFPS (void) lastframetime = t; } /* Misty: I really do need to read about sprintf a bit. This thing keeps chewing on my foot! */ - sprintf(st, "%-3d FPS", lastfps); + snprintf (st, sizeof(st), "%-3d FPS", lastfps); /* Misty: New trick! (for me) the ? makes this work like a if then else - IE: if cl_hudswap->int_val is not null, do first case, else (else is a : here) do second case. Deek taught me this trick */ @@ -544,7 +544,7 @@ void SCR_DrawTime (void) } /* now actually print it to the screen directly below where show_fps is */ - sprintf (st, "%s", local_time); + snprintf (st, sizeof(st), "%s", local_time); x = cl_hudswap->int_val ? vid.width - ((strlen (st) * 8) + 8) : 8; y = vid.height - sb_lines - 16; Draw_String8 (x, y, st); diff --git a/source/snd_dma.c b/source/snd_dma.c index 828ce3e..0523c71 100644 --- a/source/snd_dma.c +++ b/source/snd_dma.c @@ -957,7 +957,7 @@ void S_Play(void) if (!strrchr(Cmd_Argv(i), '.')) { strcpy(name, Cmd_Argv(i)); - strcat(name, ".wav"); + strncat (name, ".wav", sizeof(name)); } else strcpy(name, Cmd_Argv(i)); @@ -981,7 +981,7 @@ void S_PlayVol(void) if (!strrchr(Cmd_Argv(i), '.')) { strcpy(name, Cmd_Argv(i)); - strcat(name, ".wav"); + strncat (name, ".wav", sizeof(name)); } else strcpy(name, Cmd_Argv(i)); diff --git a/source/snd_mem.c b/source/snd_mem.c index d757c6b..02d4c51 100644 --- a/source/snd_mem.c +++ b/source/snd_mem.c @@ -180,7 +180,7 @@ sfxcache_t *S_LoadSound (sfx_t *s) //Con_Printf ("S_LoadSound: %x\n", (int)stackbuf); // load it in strcpy(namebuffer, "sound/"); - strcat(namebuffer, s->name); + strncat (namebuffer, s->name, sizeof(namebuffer)); // Con_Printf ("loading %s\n",namebuffer); diff --git a/source/sv_ccmds.c b/source/sv_ccmds.c index 8b7da25..c6ada2e 100644 --- a/source/sv_ccmds.c +++ b/source/sv_ccmds.c @@ -528,7 +528,7 @@ void SV_ConSay_f(void) p[strlen(p)-1] = 0; } - strcat(text, p); + strncat (text, p, sizeof(text)); for (j = 0, client = svs.clients; j < MAX_CLIENTS; j++, client++) { @@ -774,7 +774,7 @@ void SV_Snap (int uid) return; } - sprintf(pcxname, "%d-00.pcx", uid); + snprintf (pcxname, sizeof(pcxname), "%d-00.pcx", uid); snprintf (checkname, sizeof(checkname), "%s/snap", com_gamedir); COM_CreatePath (va ("%s/dummy", checkname)); diff --git a/source/sv_main.c b/source/sv_main.c index 932fe18..68aeba7 100644 --- a/source/sv_main.c +++ b/source/sv_main.c @@ -545,7 +545,7 @@ SVC_Log (void) NET_AdrToString (net_from)); // sprintf (data, "stdlog %i\n", svs.logsequence-1); - // strcat (data, (char *)svs.log_buf[((svs.logsequence-1)&1)]); + // strncat (data, (char *)svs.log_buf[((svs.logsequence-1)&1)], sizeof(data)); snprintf (data, sizeof (data), "stdlog %i\n%s", svs.logsequence - 1, (char *) svs.log_buf[((svs.logsequence - 1) & 1)]); @@ -1210,7 +1210,7 @@ SV_SendBan (void) data[0] = data[1] = data[2] = data[3] = 0xff; data[4] = A2C_PRINT; data[5] = 0; - strcat (data, "\nbanned.\n"); + strncat (data, "\nbanned.\n", sizeof(data)); NET_SendPacket (strlen (data), data, net_from); } diff --git a/source/sv_send.c b/source/sv_send.c index 9ff3e26..47cd91c 100644 --- a/source/sv_send.c +++ b/source/sv_send.c @@ -146,7 +146,7 @@ void Con_Printf (char *fmt, ...) if (sv_redirected) { // Add to redirected message if (strlen (msg) + strlen (outputbuf) > sizeof (outputbuf) - 1) SV_FlushRedirect (); - strcat (outputbuf, msg); + strncat (outputbuf, msg, sizeof(outputbuf)); return; } else { // We want to output to console and maybe logfile if (sv_timestamps && sv_timefmt && sv_timefmt->string && sv_timestamps->int_val) diff --git a/source/sv_user.c b/source/sv_user.c index 88c2d37..91ccd04 100644 --- a/source/sv_user.c +++ b/source/sv_user.c @@ -854,8 +854,8 @@ void SV_Say (qboolean team) p[strlen(p)-1] = 0; } - strcat(text, p); - strcat(text, "\n"); + strncat (text, p, sizeof(text)); + strncat (text, "\n", sizeof(text)); Sys_Printf ("%s", text);