stjr/SRB2
0
0
Fork 0
mirror of https://git.do.srb2.org/STJr/SRB2.git synced 2025-03-22 10:52:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'fix-use-after-free-drawstring' into 'next'

Browse source 
Fix use-after-free when calling v.drawString in Lua

See merge request
This commit is contained in:
Sal 2023-07-26 12:13:49 +00:00
commit c390a7c0c0
1 changed files with 9 additions and 0 deletions

9
src/lua_hudlib_drawlist.c
View file

@ -177,9 +177,18 @@ static const char *CopyString(huddrawlist_h list, const char* str)
lenstr = strlen(str);
if (list->strbuf_capacity <= list->strbuf_len + lenstr + 1)
{
const char *old_offset = list->strbuf;
size_t i;
if (list->strbuf_capacity == 0) list->strbuf_capacity = 256;
else list->strbuf_capacity *= 2;
list->strbuf = (char*) Z_Realloc(list->strbuf, sizeof(char) * list->strbuf_capacity, PU_STATIC, NULL);
// align the string pointers to make sure old pointers don't point towards invalid addresses
// this is necessary since Z_ReallocAlign might actually move the string buffer in memory
for (i = 0; i < list->items_len; i++)
{
list->items[i].str += list->strbuf - old_offset;
}
}
const char *result = (const char *) &list->strbuf[list->strbuf_len];
strncpy(&list->strbuf[list->strbuf_len], str, lenstr + 1);