stjr/SRB2
0
0
Fork 0
mirror of https://git.do.srb2.org/STJr/SRB2.git synced 2025-01-22 09:11:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix myhashfgets-related buffer overflows in deh_soc.c

Browse source
This commit is contained in:
X.organic 2021-04-06 01:01:33 +02:00
parent bcd3245b76
commit 701c6c8968
No known key found for this signature in database
GPG key ID: E8A896BE6A3BC4E0
1 changed files with 12 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
src/deh_soc.c
View file

@ -229,7 +229,10 @@ void readPlayer(MYFILE *f, INT32 num)
SLOTFOUND
for (i = 0; i < MAXLINELEN-3; i++)
// A friendly neighborhood alias for brevity's sake
const size_t note_size = sizeof(description[num].notes);
for (i = 0; i < MAXLINELEN-note_size-3; i++)
{
if (s[i] == '=')
{
@ -239,8 +242,9 @@ void readPlayer(MYFILE *f, INT32 num)
}
if (playertext)
{
strcpy(description[num].notes, playertext);
strcat(description[num].notes, myhashfgets(playertext, sizeof (description[num].notes), f));
strlcpy(description[num].notes, playertext, note_size);
strlcat(description[num].notes,
myhashfgets(playertext, note_size, f), note_size);
}
else
strcpy(description[num].notes, "");
@ -249,7 +253,7 @@ void readPlayer(MYFILE *f, INT32 num)
// It works down here, though.
{
INT32 numline = 0;
for (i = 0; (size_t)i < sizeof(description[num].notes)-1; i++)
for (i = 0; (size_t)i < note_size-1; i++)
{
if (numline < 20 && description[num].notes[i] == '\n')
numline++;
@ -1140,8 +1144,10 @@ void readgametype(MYFILE *f, char *gtname)
}
if (descr)
{
strcpy(gtdescription, descr);
strcat(gtdescription, myhashfgets(descr, sizeof (gtdescription), f));
strlcpy(gtdescription, descr, sizeof (gtdescription));
strlcat(gtdescription,
myhashfgets(descr, sizeof (gtdescription), f),
sizeof (gtdescription));
}
else
strcpy(gtdescription, "");