Fix myhashfgets-related buffer overflows in deh_soc.c

2025-01-22 09:11:21 +00:00 · 2021-04-06 01:01:33 +02:00 · 2021-04-06 01:01:33 +02:00 · 701c6c8968
commit 701c6c8968
parent bcd3245b76
1 changed files with 12 additions and 6 deletions
--- a/src/deh_soc.c
+++ b/src/deh_soc.c
@ -229,7 +229,10 @@ void readPlayer(MYFILE *f, INT32 num)

 				SLOTFOUND

-				for (i = 0; i < MAXLINELEN-3; i++)
+				// A friendly neighborhood alias for brevity's sake
+				const size_t note_size = sizeof(description[num].notes);
+
+				for (i = 0; i < MAXLINELEN-note_size-3; i++)
 				{
 					if (s[i] == '=')
 					{
@ -239,8 +242,9 @@ void readPlayer(MYFILE *f, INT32 num)
 				}
 				if (playertext)
 				{
-					strcpy(description[num].notes, playertext);
-					strcat(description[num].notes, myhashfgets(playertext, sizeof (description[num].notes), f));
+					strlcpy(description[num].notes, playertext, note_size);
+					strlcat(description[num].notes,
+						myhashfgets(playertext, note_size, f), note_size);
 				}
 				else
 					strcpy(description[num].notes, "");
@ -249,7 +253,7 @@ void readPlayer(MYFILE *f, INT32 num)
 				// It works down here, though.
 				{
 					INT32 numline = 0;
-					for (i = 0; (size_t)i < sizeof(description[num].notes)-1; i++)
+					for (i = 0; (size_t)i < note_size-1; i++)
 					{
 						if (numline < 20 && description[num].notes[i] == '\n')
 							numline++;
@ -1140,8 +1144,10 @@ void readgametype(MYFILE *f, char *gtname)
 				}
 				if (descr)
 				{
-					strcpy(gtdescription, descr);
-					strcat(gtdescription, myhashfgets(descr, sizeof (gtdescription), f));
+					strlcpy(gtdescription, descr, sizeof (gtdescription));
+					strlcat(gtdescription,
+						myhashfgets(descr, sizeof (gtdescription), f),
+						sizeof (gtdescription));
 				}
 				else
 					strcpy(gtdescription, "");