strncat parameter audit. Unfortunatly, strncat is counter-intutite: the n in

strncat is not the maximum length of the destination string, but of the SOURCE string, thus strncat (dest, src, sizeof (dest)) is incorrect. It should be strncat (dest, src, sizeof (text) - strlen (dest)). Even then, no terminating nul will be written if src is too long, but at least it won't crash the stack:)
2025-06-04 11:01:20 +00:00 · 2000-12-05 16:04:12 +00:00 · 2000-12-05 16:04:12 +00:00 · eae11661e4
commit eae11661e4
parent 66e0e31b57
19 changed files with 54 additions and 53 deletions
--- a/source/cl_parse.c
+++ b/source/cl_parse.c
@ -231,7 +231,8 @@ qboolean	CL_CheckOrDownloadFile (char *filename)
 	// to the real name when done, so if interrupted
 	// a runt file wont be left
 	COM_StripExtension (cls.downloadname, cls.downloadtempname);
-	strncat (cls.downloadtempname,  ".tmp", sizeof(cls.downloadtempname));
+	strncat (cls.downloadtempname,  ".tmp",
+			 sizeof (cls.downloadtempname) - strlen (cls.downloadtempname));

 	MSG_WriteByte (&cls.netchan.message, clc_stringcmd);
 	MSG_WriteString (&cls.netchan.message, va("download %s", cls.downloadname));
--- a/source/cl_sys_win.c
+++ b/source/cl_sys_win.c
@ -331,7 +331,7 @@ char *Sys_ConsoleInput (void)
 										if (i>0) {
 											textCopied[i]=0;
 											text[len]=0;
-											strncat (text,  textCopied, sizeof(text));
+											strncat (text,  textCopied, sizeof(text) - strlen (text));
 											len+=dummy;
 											WriteFile(houtput, textCopied, i, &dummy, NULL);
 										}
--- a/source/cmd.c
+++ b/source/cmd.c
@ -317,8 +317,8 @@ void Cmd_StuffCmds_f (void)
 			c = com_cmdline[j];
 			com_cmdline[j] = 0;

-			strncat (build,  com_cmdline+i, sizeof(build));
-			strncat (build,  "\n", sizeof(build));
+			strncat (build,  com_cmdline+i, sizeof(build) - strlen (build));
+			strncat (build,  "\n", sizeof(build) - strlen (build));
 			com_cmdline[j] = c;
 			i = j-1;
 		}
@ -473,11 +473,11 @@ void Cmd_Alias_f (void)
 	c = Cmd_Argc();
 	for (i=2 ; i< c ; i++)
 	{
-		strncat (cmd,  Cmd_Argv(i), sizeof(cmd));
+		strncat (cmd,  Cmd_Argv(i), sizeof(cmd) - strlen (cmd));
 		if (i != c)
-			strncat (cmd,  " ", sizeof(cmd));
+			strncat (cmd,  " ", sizeof(cmd) - strlen (cmd));
 	}
-	strncat (cmd,  "\n", sizeof(cmd));
+	strncat (cmd,  "\n", sizeof(cmd) - strlen (cmd));

 	a->value = CopyString (cmd);
 }
--- a/source/console.c
+++ b/source/console.c
@ -620,10 +620,10 @@ void Con_DrawConsole (int lines)
 			y = x - i - 11;
 			strncpy(dlbar, text, i);
 			dlbar[i] = 0;
-			strncat (dlbar,  "...", sizeof(dlbar));
+			strncat (dlbar,  "...", sizeof(dlbar) - strlen (dlbar));
 		} else
-			strcpy(dlbar, text);
-		strncat (dlbar,  ": ", sizeof(dlbar));
+			strncpy(dlbar, text, sizeof (dlbar));
+		strncat (dlbar,  ": ", sizeof(dlbar) - strlen (dlbar));
 		i = strlen(dlbar);
 		dlbar[i++] = '\x80';
 		// where's the dot go?
--- a/source/gl_mesh.c
+++ b/source/gl_mesh.c
@ -329,7 +329,7 @@ void GL_MakeAliasModelDisplayLists (model_t *m, aliashdr_t *hdr)
 	//
 	strcpy (cache, "glquake/");
 	COM_StripExtension (m->name+strlen("progs/"), cache+strlen("glquake/"));
-	strncat (cache,  ".ms2", sizeof(cache));
+	strncat (cache,  ".ms2", sizeof(cache) - strlen (cache));

 	COM_FOpenFile (cache, &f);	
 	if (f)
--- a/source/gl_model_brush.c
+++ b/source/gl_model_brush.c
@ -79,7 +79,7 @@ void Mod_LoadLighting (lump_t *l)

 	strcpy(litfilename, loadmodel->name);
 	COM_StripExtension(litfilename, litfilename);
-	strncat (litfilename,  ".lit", sizeof(litfilename));
+	strncat (litfilename,  ".lit", sizeof(litfilename) - strlen (litfilename));

 	loadmodel->lightdata = (byte*) COM_LoadHunkFile (litfilename);
 	if (!loadmodel->lightdata) // expand the white lighting data
--- a/source/keys.c
+++ b/source/keys.c
@ -659,9 +659,9 @@ Key_Bind_f ( void )
 	cmd[0] = 0;		// start out with a null string
 	for (i=2 ; i< c ; i++)
 	{
-		strncat (cmd,  Cmd_Argv(i), sizeof(cmd));
+		strncat (cmd,  Cmd_Argv(i), sizeof(cmd) - strlen (cmd));
 		if (i != (c-1))
-			strncat (cmd,  " ", sizeof(cmd));
+			strncat (cmd,  " ", sizeof(cmd) - strlen (cmd));
 	}

 	Key_SetBinding (b, cmd);
--- a/source/pr_cmds.c
+++ b/source/pr_cmds.c
@ -65,7 +65,7 @@ char *PF_VarString (int	first)
 	out[0] = 0;
 	for (i=first ; i<pr_argc ; i++)
 	{
-		strncat (out,  G_STRING((OFS_PARM0+i*3)), sizeof(out));
+		strncat (out,  G_STRING((OFS_PARM0+i*3)), sizeof(out) - strlen (out));
 	}
 	return out;
 }
@ -722,7 +722,7 @@ void PF_stuffcmd (void)
 	buf = cl->stufftext_buf;
 	if (strlen(buf) + strlen(str) >= MAX_STUFFTEXT)
 		PR_RunError ("stufftext buffer overflow");
-	strncat (buf,  str, sizeof(buf));
+	strncat (buf,  str, sizeof(buf) - strlen (buf));

 	for (i = strlen(buf); i >= 0; i--)
 	{
--- a/source/pr_edict.c
+++ b/source/pr_edict.c
@ -426,8 +426,8 @@ char *PR_GlobalString (int ofs)
 	
 	i = strlen(line);
 	for ( ; i<20 ; i++)
-		strncat (line, " ", sizeof(line));
-	strncat (line, " ", sizeof(line));
+		strncat (line, " ", sizeof(line) - strlen (line));
+	strncat (line, " ", sizeof(line) - strlen (line));
 		
 	return line;
 }
@ -446,8 +446,8 @@ char *PR_GlobalStringNoContents (int ofs)
 	
 	i = strlen(line);
 	for ( ; i<20 ; i++)
-		strncat (line, " ", sizeof(line));
-	strncat (line, " ", sizeof(line));
+		strncat (line, " ", sizeof(line) - strlen (line));
+	strncat (line, " ", sizeof(line) - strlen (line));
 		
 	return line;
 }
--- a/source/qargs.c
+++ b/source/qargs.c
@ -113,9 +113,9 @@ void COM_InitArgv (int argc, char **argv)
 	if (len) {
 		for (i=1; i < argc; i++)
 		{
-			strncat (com_cmdline, argv[i], len);
+			strncat (com_cmdline, argv[i], len - strlen (com_cmdline));
 			assert(len - strlen(com_cmdline) > 0);
-			strncat (com_cmdline,  " ", sizeof(com_cmdline));
+			strncat (com_cmdline,  " ", len - strlen (com_cmdline));
 		}
 		com_cmdline[len - 1] = '\0';
 	}
--- a/source/quakefs.c
+++ b/source/quakefs.c
@ -520,7 +520,7 @@ _COM_FOpenFile (char *filename, QFile **gzfile, char *foundname, int zip)

 	filenamelen = strlen(filename);
 	strncpy(gzfilename,filename,sizeof(gzfilename));
-	strncat(gzfilename,".gz",sizeof(gzfilename));
+	strncat(gzfilename,".gz",sizeof(gzfilename) - strlen (gzfilename));
 #endif

 	file_from_pak = 0;
@ -1145,5 +1145,5 @@ void COM_DefaultExtension (char *path, char *extension)
 		src--;
 	}

-	strncat (path,  extension, sizeof(path));
+	strncat (path,  extension, sizeof(path) - strlen (path));
 }
--- a/source/quakeio.c
+++ b/source/quakeio.c
@ -82,7 +82,7 @@ Qexpand_squiggle(const char *path, char *dest)

 	if (home) {
 		strcpy (dest, home);
-		strncat (dest,  path+1, sizeof(dest)); // skip leading ~
+		strncat (dest,  path+1, sizeof(dest) - strlen (dest)); // skip leading ~
 	} else
 		strcpy (dest,path);
 }
--- a/source/snd_dma.c
+++ b/source/snd_dma.c
@ -957,7 +957,7 @@ void S_Play(void)
 		if (!strrchr(Cmd_Argv(i), '.'))
 		{
 			strcpy(name, Cmd_Argv(i));
-			strncat (name,  ".wav", sizeof(name));
+			strncat (name,  ".wav", sizeof(name) - strlen (name));
 		}
 		else
 			strcpy(name, Cmd_Argv(i));
@ -981,7 +981,7 @@ void S_PlayVol(void)
 		if (!strrchr(Cmd_Argv(i), '.'))
 		{
 			strcpy(name, Cmd_Argv(i));
-			strncat (name,  ".wav", sizeof(name));
+			strncat (name,  ".wav", sizeof(name) - strlen (name));
 		}
 		else
 			strcpy(name, Cmd_Argv(i));
--- a/source/snd_mem.c
+++ b/source/snd_mem.c
@ -180,7 +180,7 @@ sfxcache_t *S_LoadSound (sfx_t *s)
 //Con_Printf ("S_LoadSound: %x\n", (int)stackbuf);
 // load it in
    strcpy(namebuffer, "sound/");
-    strncat (namebuffer,  s->name, sizeof(namebuffer));
+    strncat (namebuffer,  s->name, sizeof(namebuffer) - strlen (namebuffer));

 //	Con_Printf ("loading %s\n",namebuffer);

--- a/source/sv_ccmds.c
+++ b/source/sv_ccmds.c
@ -528,7 +528,7 @@ void SV_ConSay_f(void)
 		p[strlen(p)-1] = 0;
 	}

-	strncat (text,  p, sizeof(text));
+	strncat (text,  p, sizeof(text) - strlen (text));

 	for (j = 0, client = svs.clients; j < MAX_CLIENTS; j++, client++)
 	{
--- a/source/sv_main.c
+++ b/source/sv_main.c
@ -545,7 +545,7 @@ SVC_Log (void)
 				 NET_AdrToString (net_from));

 	// sprintf (data, "stdlog %i\n", svs.logsequence-1);
-	// strncat (data,  (char *)svs.log_buf[((svs.logsequence-1)&1)], sizeof(data));
+	// strncat (data,  (char *)svs.log_buf[((svs.logsequence-1)&1)], sizeof(data) - strlen (data));
 	snprintf (data, sizeof (data), "stdlog %i\n%s",
 			  svs.logsequence - 1,
 			  (char *) svs.log_buf[((svs.logsequence - 1) & 1)]);
@ -1210,7 +1210,7 @@ SV_SendBan (void)
 	data[0] = data[1] = data[2] = data[3] = 0xff;
 	data[4] = A2C_PRINT;
 	data[5] = 0;
-	strncat (data,  "\nbanned.\n", sizeof(data));
+	strncat (data,  "\nbanned.\n", sizeof(data) - strlen (data));

 	NET_SendPacket (strlen (data), data, net_from);
 }
--- a/source/sv_send.c
+++ b/source/sv_send.c
@ -146,7 +146,7 @@ void Con_Printf (char *fmt, ...)
 	if (sv_redirected) {	// Add to redirected message
 		if (strlen (msg) + strlen (outputbuf) > sizeof (outputbuf) - 1)
 			SV_FlushRedirect ();
-		strncat (outputbuf,  msg, sizeof(outputbuf));
+		strncat (outputbuf,  msg, sizeof(outputbuf) - strlen (outputbuf));
 		return;
 	} else {				// We want to output to console and maybe logfile
 		if (sv_timestamps && sv_timefmt && sv_timefmt->string && sv_timestamps->int_val)
--- a/source/sv_user.c
+++ b/source/sv_user.c
@ -854,8 +854,8 @@ void SV_Say (qboolean team)
 		p[strlen(p)-1] = 0;
 	}

-	strncat (text,  p, sizeof(text));
-	strncat (text,  "\n", sizeof(text));
+	strncat (text,  p, sizeof(text) - strlen (text));
+	strncat (text,  "\n", sizeof(text) - strlen (text));

 	Sys_Printf ("%s", text);