mirror of
https://git.code.sf.net/p/quake/quakeforge
synced 2024-11-26 22:31:05 +00:00
[gamecode] Plug a nasty buffer overflow
This one is ancient: the code was essentially unmodified since release (just some formatting). Malformed vectors could sneak through due to map bugs (eg, "angles -90" instead of "angle -90" as in ad_tears) and the vector parsing code would continue past the end of the string and writing into unowned memory, potentially messing up the libc allocation records. Replacing with the obvious sscanf works nicely. Sometimes, Quake code is brilliant. Other times, it's a real face-palm.
This commit is contained in:
parent
34da36e1cf
commit
78a0075be1
1 changed files with 11 additions and 13 deletions
|
@ -215,10 +215,7 @@ ED_NewString (progs_t *pr, const char *string)
|
|||
VISIBLE qboolean
|
||||
ED_ParseEpair (progs_t *pr, pr_type_t *base, pr_def_t *key, const char *s)
|
||||
{
|
||||
int i;
|
||||
char *string;
|
||||
pr_def_t *def;
|
||||
char *v, *w;
|
||||
pr_type_t *d;
|
||||
dfunction_t *func;
|
||||
|
||||
|
@ -234,17 +231,18 @@ ED_ParseEpair (progs_t *pr, pr_type_t *base, pr_def_t *key, const char *s)
|
|||
break;
|
||||
|
||||
case ev_vector:
|
||||
string = strdup (s);
|
||||
v = string;
|
||||
w = string;
|
||||
for (i = 0; i < 3; i++) {
|
||||
while (*v && *v != ' ')
|
||||
v++;
|
||||
*v = 0;
|
||||
(&PR_PTR (float, d))[i] = atof (w);
|
||||
w = v = v + 1;
|
||||
vec3_t vec = {};
|
||||
char *str = alloca (strlen (s) + 1);
|
||||
strcpy (str, s);
|
||||
for (char *v = str; *v; v++) {
|
||||
if (*v == ',') {
|
||||
*v = ' ';
|
||||
}
|
||||
}
|
||||
free (string);
|
||||
if (sscanf (s, "%f %f %f", VectorExpandAddr (vec)) != 3) {
|
||||
Sys_Printf ("Malformed vector %s\n", s);
|
||||
}
|
||||
VectorCopy (vec, PR_PTR (vector, d));
|
||||
break;
|
||||
|
||||
case ev_entity:
|
||||
|
|
Loading…
Reference in a new issue