stjr/SRB2
0
0
Fork 0
mirror of https://git.do.srb2.org/STJr/SRB2.git synced 2024-11-15 01:01:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix use-after-free when calling v.drawString in Lua

Browse source
This commit is contained in:
Gustaf Alhäll 2023-06-02 18:49:37 +02:00 committed by Sally Coolatta
parent f67aea7fc2
commit 9253a8cc54
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/lua_hudlib_drawlist.c
View file

@ -177,9 +177,18 @@ static const char *CopyString(huddrawlist_h list, const char* str)
lenstr = strlen(str);
if (list->strbuf_capacity <= list->strbuf_len + lenstr + 1)
{
const char *old_offset = list->strbuf;
size_t i;
if (list->strbuf_capacity == 0) list->strbuf_capacity = 256;
else list->strbuf_capacity *= 2;
list->strbuf = (char*) Z_Realloc(list->strbuf, sizeof(char) * list->strbuf_capacity, PU_STATIC, NULL);
// align the string pointers to make sure old pointers don't point towards invalid addresses
// this is necessary since Z_ReallocAlign might actually move the string buffer in memory
for (i = 0; i < list->items_len; i++)
{
list->items[i].str += list->strbuf - old_offset;
}
}
const char *result = (const char *) &list->strbuf[list->strbuf_len];
strncpy(&list->strbuf[list->strbuf_len], str, lenstr + 1);