[gamecode] Plug a nasty buffer overflow

This one is ancient: the code was essentially unmodified since release
(just some formatting). Malformed vectors could sneak through due to map
bugs (eg, "angles -90" instead of "angle -90" as in ad_tears) and the
vector parsing code would continue past the end of the string and
writing into unowned memory, potentially messing up the libc allocation
records. Replacing with the obvious sscanf works nicely.

Sometimes, Quake code is brilliant. Other times, it's a real face-palm.
This commit is contained in:
Bill Currie 2022-05-21 12:15:15 +09:00
parent 34da36e1cf
commit 78a0075be1

View file

@ -215,10 +215,7 @@ ED_NewString (progs_t *pr, const char *string)
VISIBLE qboolean VISIBLE qboolean
ED_ParseEpair (progs_t *pr, pr_type_t *base, pr_def_t *key, const char *s) ED_ParseEpair (progs_t *pr, pr_type_t *base, pr_def_t *key, const char *s)
{ {
int i;
char *string;
pr_def_t *def; pr_def_t *def;
char *v, *w;
pr_type_t *d; pr_type_t *d;
dfunction_t *func; dfunction_t *func;
@ -234,17 +231,18 @@ ED_ParseEpair (progs_t *pr, pr_type_t *base, pr_def_t *key, const char *s)
break; break;
case ev_vector: case ev_vector:
string = strdup (s); vec3_t vec = {};
v = string; char *str = alloca (strlen (s) + 1);
w = string; strcpy (str, s);
for (i = 0; i < 3; i++) { for (char *v = str; *v; v++) {
while (*v && *v != ' ') if (*v == ',') {
v++; *v = ' ';
*v = 0; }
(&PR_PTR (float, d))[i] = atof (w);
w = v = v + 1;
} }
free (string); if (sscanf (s, "%f %f %f", VectorExpandAddr (vec)) != 3) {
Sys_Printf ("Malformed vector %s\n", s);
}
VectorCopy (vec, PR_PTR (vector, d));
break; break;
case ev_entity: case ev_entity: