change _FOpenFile to take a dstring for foundname plugging a potential

buffer overflow.

doc/.gitignore

@@ -2,4 +2,5 @@ Makefile
 Makefile.in
 doxygen
 man
+quakeforge.dox
 texinfo

include/QF/quakefs.h

@@ -72,8 +72,8 @@ struct cache_user_s;
 char *QFS_CompressPath (const char *pth);
 void QFS_WriteFile (const char *filename, void *data, int len);
 void QFS_WriteBuffers (const char *filename, int count, ...);
-
-int _QFS_FOpenFile (const char *filename, QFile **gzfile, char *foundname, int zip);
+struct dstring_s;
+int _QFS_FOpenFile (const char *filename, QFile **gzfile, struct dstring_s *foundname, int zip);
 int QFS_FOpenFile (const char *filename, QFile **gzfile);
 void QFS_FileBase (const char *in, char *out);
 void QFS_DefaultExtension (char *path, const char *extension);

libs/audio/renderer/snd_mem.c

@@ -39,6 +39,7 @@ static __attribute__ ((unused)) const char rcsid[] =
 #endif
 
 #include "QF/cvar.h"
+#include "QF/dstring.h"
 #include "QF/sound.h"
 #include "QF/sys.h"
 #include "QF/qendian.h"
@@ -184,7 +185,7 @@ static sfxcache_t *
 SND_LoadSound (sfx_t *sfx, cache_allocator_t allocator)
 {
 	char		namebuffer[256];
-	char		foundname[256];
+	dstring_t  *foundname = dstring_new ();
 	byte	   *data;
 	wavinfo_t	info;
 	int			len;
@@ -198,12 +199,15 @@ SND_LoadSound (sfx_t *sfx, cache_allocator_t allocator)
 	strncat (namebuffer, sfx->name, sizeof (namebuffer) - strlen (namebuffer));
 	_QFS_FOpenFile (namebuffer, &file, foundname, 1);
 	if (!file) {
+		dstring_delete (foundname);
 		Sys_Printf ("Couldn't load %s\n", namebuffer);
 		return 0;
 	}
-	if (strcmp (".ogg", QFS_FileExtension (foundname)) == 0) {
+	if (strcmp (".ogg", QFS_FileExtension (foundname->str)) == 0) {
+		dstring_delete (foundname);
 		return SND_LoadOgg (file, sfx, allocator);
 	}
+	dstring_delete (foundname);
 	Qclose (file); //FIXME this is a dumb way to do this
 	data = QFS_LoadStackFile (namebuffer, stackbuf, sizeof (stackbuf));
 

libs/util/quakefs.c

@@ -746,7 +746,7 @@ int file_from_pak; // global indicating file came from pack file ZOID
 
 static int
 open_file (searchpath_t *search, const char *filename, QFile **gzfile,
-		   char *foundname, int zip)
+		   dstring_t *foundname, int zip)
 {
 	char        netpath[MAX_OSPATH];
 
@@ -761,7 +761,10 @@ open_file (searchpath_t *search, const char *filename, QFile **gzfile,
 			Sys_DPrintf ("PackFile: %s : %s\n", search->pack->filename,
 						 packfile->name);
 			// open a new file on the pakfile
-			strncpy (foundname, packfile->name, MAX_OSPATH);
+			if (foundname) {
+				dstring_clearstr (foundname);
+				dstring_appendstr (foundname, packfile->name);
+			}
 			*gzfile = QFS_OpenRead (search->pack->filename, packfile->filepos,
 									packfile->filelen, zip);
 			file_from_pak = 1;
@@ -779,7 +782,10 @@ open_file (searchpath_t *search, const char *filename, QFile **gzfile,
 		snprintf (netpath, sizeof (netpath), "%s/%s", search->filename,
 				  filename);
 
-		strncpy (foundname, filename, MAX_OSPATH);
+		if (foundname) {
+			dstring_clearstr (foundname);
+			dstring_appendstr (foundname, filename);
+		}
 		if (Sys_FileTime (netpath) == -1)
 			return -1;
 
@@ -793,7 +799,8 @@ open_file (searchpath_t *search, const char *filename, QFile **gzfile,
 }
 
 int
-_QFS_FOpenFile (const char *filename, QFile **gzfile, char *foundname, int zip)
+_QFS_FOpenFile (const char *filename, QFile **gzfile,
+				dstring_t *foundname, int zip)
 {
 	searchpath_t *search;
 	char       *path;
@@ -854,9 +861,7 @@ ok:
 int
 QFS_FOpenFile (const char *filename, QFile **gzfile)
 {
-	char        foundname[MAX_OSPATH];
-
-	return _QFS_FOpenFile (filename, gzfile, foundname, 1);
+	return _QFS_FOpenFile (filename, gzfile, 0, 1);
 }
 
 cache_user_t *loadcache;

nq/source/locs.c

@@ -136,11 +136,10 @@ locs_load (const char *filename)
 	char       *t1, *t2;
 	vec3_t      loc;
 	char	    tmp[PATH_MAX];
-	char        foundname[MAX_OSPATH];
 	int         templength = 0;
 	
 	snprintf (tmp, sizeof(tmp), "maps/%s", filename);
-	templength = _QFS_FOpenFile (tmp, &file, foundname, 1);
+	templength = QFS_FOpenFile (tmp, &file);
 	if (!file) {
 		Con_Printf ("Couldn't load %s\n", tmp);
 		return;

qw/source/locs.c

@@ -132,7 +132,7 @@ locs_add (const vec3_t location, const char *name)
 void
 locs_load (const char *filename)
 {
-	char        tmp[PATH_MAX], foundname[MAX_OSPATH];
+	char        tmp[PATH_MAX];
 	char       *t1, *t2;
 	const char *line;
 	int         templength = 0;
@@ -140,7 +140,7 @@ locs_load (const char *filename)
 	QFile      *file;
 	
 	snprintf (tmp, sizeof (tmp), "maps/%s", filename);
-	templength = _QFS_FOpenFile (tmp, &file, foundname, 1);
+	templength = QFS_FOpenFile (tmp, &file);
 	if (!file) {
 		Con_Printf ("Couldn't load %s\n", tmp);
 		return;

qw/source/sv_user.c

@@ -674,7 +674,7 @@ static void
 SV_BeginDownload_f (ucmd_t *cmd)
 {
 	const char *name;
-	char		realname[MAX_OSPATH];
+	dstring_t  *realname;
 	int			size, zip;
 	QFile	   *file;
 
@@ -709,6 +709,7 @@ SV_BeginDownload_f (ucmd_t *cmd)
 
 	zip = strchr (Info_ValueForKey (host_client->userinfo, "*cap"), 'z') != 0;
 
+	realname = dstring_newstr ();
 	size = _QFS_FOpenFile (name, &file, realname, !zip);
 
 	host_client->download = file;
@@ -728,18 +729,20 @@ SV_BeginDownload_f (ucmd_t *cmd)
 		ClientReliableWrite_Begin (host_client, svc_download, 4);
 		ClientReliableWrite_Short (host_client, -1);
 		ClientReliableWrite_Byte (host_client, 0);
+		dstring_delete (realname);
 		return;
 	}
 
-	if (zip && strcmp (realname, name)) {
-		SV_Printf ("download renamed to %s\n", realname);
+	if (zip && strcmp (realname->str, name)) {
+		SV_Printf ("download renamed to %s\n", realname->str);
 		ClientReliableWrite_Begin (host_client, svc_download,
-								   strlen (realname) + 5);
+								   strlen (realname->str) + 5);
 		ClientReliableWrite_Short (host_client, -2);
 		ClientReliableWrite_Byte (host_client, 0);
-		ClientReliableWrite_String (host_client, realname);
+		ClientReliableWrite_String (host_client, realname->str);
 		ClientReliable_FinishWrite (host_client);
 	}
+	dstring_delete (realname);
 
 	SV_NextDownload_f (0);
 	SV_Printf ("Downloading %s to %s\n", name, host_client->name);