From 701c6c8968fea04dc13f02c3cc5e3e7841e48345 Mon Sep 17 00:00:00 2001 From: "X.organic" Date: Tue, 6 Apr 2021 01:01:33 +0200 Subject: [PATCH 1/3] Fix myhashfgets-related buffer overflows in deh_soc.c --- src/deh_soc.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/deh_soc.c b/src/deh_soc.c index 5b12ea1b0..bc7533ee0 100644 --- a/src/deh_soc.c +++ b/src/deh_soc.c @@ -229,7 +229,10 @@ void readPlayer(MYFILE *f, INT32 num) SLOTFOUND - for (i = 0; i < MAXLINELEN-3; i++) + // A friendly neighborhood alias for brevity's sake + const size_t note_size = sizeof(description[num].notes); + + for (i = 0; i < MAXLINELEN-note_size-3; i++) { if (s[i] == '=') { @@ -239,8 +242,9 @@ void readPlayer(MYFILE *f, INT32 num) } if (playertext) { - strcpy(description[num].notes, playertext); - strcat(description[num].notes, myhashfgets(playertext, sizeof (description[num].notes), f)); + strlcpy(description[num].notes, playertext, note_size); + strlcat(description[num].notes, + myhashfgets(playertext, note_size, f), note_size); } else strcpy(description[num].notes, ""); @@ -249,7 +253,7 @@ void readPlayer(MYFILE *f, INT32 num) // It works down here, though. { INT32 numline = 0; - for (i = 0; (size_t)i < sizeof(description[num].notes)-1; i++) + for (i = 0; (size_t)i < note_size-1; i++) { if (numline < 20 && description[num].notes[i] == '\n') numline++; @@ -1140,8 +1144,10 @@ void readgametype(MYFILE *f, char *gtname) } if (descr) { - strcpy(gtdescription, descr); - strcat(gtdescription, myhashfgets(descr, sizeof (gtdescription), f)); + strlcpy(gtdescription, descr, sizeof (gtdescription)); + strlcat(gtdescription, + myhashfgets(descr, sizeof (gtdescription), f), + sizeof (gtdescription)); } else strcpy(gtdescription, ""); From f0f3b33d71db97ccf4b747f8962022df3104a18c Mon Sep 17 00:00:00 2001 From: "X.organic" Date: Tue, 6 Apr 2021 03:12:46 +0200 Subject: [PATCH 2/3] Edit note_size alias to get rid of warnings --- src/deh_soc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/deh_soc.c b/src/deh_soc.c index bc7533ee0..72f785eff 100644 --- a/src/deh_soc.c +++ b/src/deh_soc.c @@ -230,9 +230,9 @@ void readPlayer(MYFILE *f, INT32 num) SLOTFOUND // A friendly neighborhood alias for brevity's sake - const size_t note_size = sizeof(description[num].notes); +#define NOTE_SIZE sizeof(description[num].notes) - for (i = 0; i < MAXLINELEN-note_size-3; i++) + for (i = 0; i < (INT32)(MAXLINELEN-NOTE_SIZE-3); i++) { if (s[i] == '=') { @@ -242,9 +242,9 @@ void readPlayer(MYFILE *f, INT32 num) } if (playertext) { - strlcpy(description[num].notes, playertext, note_size); + strlcpy(description[num].notes, playertext, NOTE_SIZE); strlcat(description[num].notes, - myhashfgets(playertext, note_size, f), note_size); + myhashfgets(playertext, NOTE_SIZE, f), NOTE_SIZE); } else strcpy(description[num].notes, ""); @@ -253,7 +253,7 @@ void readPlayer(MYFILE *f, INT32 num) // It works down here, though. { INT32 numline = 0; - for (i = 0; (size_t)i < note_size-1; i++) + for (i = 0; (size_t)i < NOTE_SIZE-1; i++) { if (numline < 20 && description[num].notes[i] == '\n') numline++; @@ -264,6 +264,7 @@ void readPlayer(MYFILE *f, INT32 num) } description[num].notes[strlen(description[num].notes)-1] = '\0'; description[num].notes[i] = '\0'; +#undef NOTE_SIZE continue; } From 6f0b4a4f6d5f129631f7aed997c332afbfe263e0 Mon Sep 17 00:00:00 2001 From: "X.organic" Date: Tue, 6 Apr 2021 03:13:38 +0200 Subject: [PATCH 3/3] Remove some dead code from DEH_LoadDehackedFile Also fixes a buffer overflow, but said overflow generally got caught by the stack smashing protector. Still, it's better for SOC files not to be able to crash the game that easily. --- src/dehacked.c | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/src/dehacked.c b/src/dehacked.c index c2ea28d27..3f066a924 100644 --- a/src/dehacked.c +++ b/src/dehacked.c @@ -188,26 +188,11 @@ static void DEH_LoadDehackedFile(MYFILE *f, boolean mainfile) dbg_line = -1; // start at -1 so the first line is 0. while (!myfeof(f)) { - char origpos[128]; - INT32 size = 0; - char *traverse; - myfgets(s, MAXLINELEN, f); memcpy(textline, s, MAXLINELEN); if (s[0] == '\n' || s[0] == '#') continue; - traverse = s; - - while (traverse[0] != '\n') - { - traverse++; - size++; - } - - strncpy(origpos, s, size); - origpos[size] = '\0'; - if (NULL != (word = strtok(s, " "))) { strupr(word); if (word[strlen(word)-1] == '\n')