stjr/SRB2
0
0
Fork 0
mirror of https://git.do.srb2.org/STJr/SRB2.git synced 2025-02-03 15:01:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'security-release-14' into 2214

Browse source
This commit is contained in:
spherallic 2024-06-25 16:48:46 +02:00
commit f8ea1a0426
2 changed files with 34 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/hu_stuff.c
View file

@ -599,6 +599,7 @@ static void Got_Saycmd(UINT8 **p, INT32 playernum)
SINT8 target; SINT8 target;
UINT8 flags; UINT8 flags;
const char *dispname; const char *dispname;
char buf[HU_MAXMSGLEN + 1];
char *msg; char *msg;
boolean action = false; boolean action = false;
char *ptr; char *ptr;
@ -608,8 +609,8 @@ static void Got_Saycmd(UINT8 **p, INT32 playernum)
target = READSINT8(*p); target = READSINT8(*p);
flags = READUINT8(*p); flags = READUINT8(*p);
msg = (char *)*p; msg = buf;
SKIPSTRINGL(*p, HU_MAXMSGLEN + 1); READSTRINGL(*p, msg, HU_MAXMSGLEN + 1);
if ((cv_mute.value || players[playernum].muted || flags & (HU_CSAY|HU_SERVER_SAY)) && playernum != serverplayer && !(IsPlayerAdmin(playernum))) if ((cv_mute.value || players[playernum].muted || flags & (HU_CSAY|HU_SERVER_SAY)) && playernum != serverplayer && !(IsPlayerAdmin(playernum)))
{ {

36
src/lua_consolelib.c
View file

@ -31,11 +31,27 @@ return luaL_error(L, "HUD rendering code should not call this function!");
static consvar_t *this_cvar; static consvar_t *this_cvar;
static void clear_lua_stack(void)
{
if (gL) // check if Lua is actually turned on first, you dummmy -- Monster Iestyn 04/07/18
lua_settop(gL, 0); // clear stack
}
void Got_Luacmd(UINT8 **cp, INT32 playernum) void Got_Luacmd(UINT8 **cp, INT32 playernum)
{ {
UINT8 i, argc, flags; UINT8 i, argc, flags;
const char *argv[256];
char buf[256]; char buf[256];
argc = READUINT8(*cp);
argv[0] = (const char*)*cp;
SKIPSTRINGN(*cp, 255);
for (i = 1; i < argc; i++)
{
argv[i] = (const char*)*cp;
SKIPSTRINGN(*cp, 255);
}
// don't use I_Assert here, goto the deny code below // don't use I_Assert here, goto the deny code below
// to clean up and kick people who try nefarious exploits // to clean up and kick people who try nefarious exploits
// like sending random junk lua commands to crash the server // like sending random junk lua commands to crash the server
@ -48,8 +64,7 @@ void Got_Luacmd(UINT8 **cp, INT32 playernum)
lua_getfield(gL, LUA_REGISTRYINDEX, "COM_Command"); // push COM_Command lua_getfield(gL, LUA_REGISTRYINDEX, "COM_Command"); // push COM_Command
if (!lua_istable(gL, -1)) goto deny; if (!lua_istable(gL, -1)) goto deny;
argc = READUINT8(*cp); strlcpy(buf, argv[0], 255);
READSTRINGN(*cp, buf, 255);
strlwr(buf); // must lowercase buffer strlwr(buf); // must lowercase buffer
lua_getfield(gL, -1, buf); // push command info table lua_getfield(gL, -1, buf); // push command info table
if (!lua_istable(gL, -1)) goto deny; if (!lua_istable(gL, -1)) goto deny;
@ -75,10 +90,17 @@ void Got_Luacmd(UINT8 **cp, INT32 playernum)
lua_remove(gL, -2); // pop command info table lua_remove(gL, -2); // pop command info table
if (!lua_checkstack(gL, argc)) // player + command arguments
{
clear_lua_stack();
CONS_Alert(CONS_WARNING, "lua command stack overflow from %s (%d, need %d more)\n", player_names[playernum], lua_gettop(gL), argc);
return;
}
LUA_PushUserdata(gL, &players[playernum], META_PLAYER); LUA_PushUserdata(gL, &players[playernum], META_PLAYER);
for (i = 1; i < argc; i++) for (i = 1; i < argc; i++)
{ {
READSTRINGN(*cp, buf, 255); strlcpy(buf, argv[i], 255);
lua_pushstring(gL, buf); lua_pushstring(gL, buf);
} }
LUA_Call(gL, (int)argc, 0, 1); // argc is 1-based, so this will cover the player we passed too. LUA_Call(gL, (int)argc, 0, 1); // argc is 1-based, so this will cover the player we passed too.
@ -86,8 +108,7 @@ void Got_Luacmd(UINT8 **cp, INT32 playernum)
deny: deny:
//must be hacked/buggy client //must be hacked/buggy client
if (gL) // check if Lua is actually turned on first, you dummmy -- Monster Iestyn 04/07/18 clear_lua_stack();
lua_settop(gL, 0); // clear stack
CONS_Alert(CONS_WARNING, M_GetText("Illegal lua command received from %s\n"), player_names[playernum]); CONS_Alert(CONS_WARNING, M_GetText("Illegal lua command received from %s\n"), player_names[playernum]);
if (server) if (server)
@ -173,6 +194,11 @@ void COM_Lua_f(void)
I_Assert(lua_isfunction(gL, -1)); I_Assert(lua_isfunction(gL, -1));
lua_remove(gL, -2); // pop command info table lua_remove(gL, -2); // pop command info table
if (!lua_checkstack(gL, COM_Argc() + 1))
{
CONS_Alert(CONS_WARNING, "lua command stack overflow (%d, need %s more)\n", lua_gettop(gL), sizeu1(COM_Argc() + 1));
return;
}
LUA_PushUserdata(gL, &players[playernum], META_PLAYER); LUA_PushUserdata(gL, &players[playernum], META_PLAYER);
for (i = 1; i < COM_Argc(); i++) for (i = 1; i < COM_Argc(); i++)
lua_pushstring(gL, COM_Argv(i)); lua_pushstring(gL, COM_Argv(i));