teambeef/ioq3quest
0
0
Fork 0
mirror of https://github.com/DrBeef/ioq3quest.git synced 2024-11-12 23:54:07 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add string length checking to function COM_StripExtension. This fixes the R_RemapShader buffer overflow exploit that can be found here:

Browse source 
http://milw0rm.com/exploits/1750
This commit is contained in:
Thilo Schulz 2006-05-06 01:56:24 +00:00
parent 2e368c02a6
commit d21411452e
13 changed files with 22 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
code/cgame/cg_weapons.c
View file

@ -656,17 +656,17 @@ void CG_RegisterWeapon( int weaponNum ) {
} }
strcpy( path, item->world_model[0] ); strcpy( path, item->world_model[0] );
COM_StripExtension( path, path ); COM_StripExtension(path, path, sizeof(path));
strcat( path, "_flash.md3" ); strcat( path, "_flash.md3" );
weaponInfo->flashModel = trap_R_RegisterModel( path ); weaponInfo->flashModel = trap_R_RegisterModel( path );
strcpy( path, item->world_model[0] ); strcpy( path, item->world_model[0] );
COM_StripExtension( path, path ); COM_StripExtension(path, path, sizeof(path));
strcat( path, "_barrel.md3" ); strcat( path, "_barrel.md3" );
weaponInfo->barrelModel = trap_R_RegisterModel( path ); weaponInfo->barrelModel = trap_R_RegisterModel( path );
strcpy( path, item->world_model[0] ); strcpy( path, item->world_model[0] );
COM_StripExtension( path, path ); COM_StripExtension(path, path, sizeof(path));
strcat( path, "_hand.md3" ); strcat( path, "_hand.md3" );
weaponInfo->handsModel = trap_R_RegisterModel( path ); weaponInfo->handsModel = trap_R_RegisterModel( path );

2
code/client/cl_main.c
View file

@ -2066,7 +2066,7 @@ void CL_Frame ( int msec ) {
} }
Q_strncpyz( mapName, COM_SkipPath( cl.mapname ), sizeof( cl.mapname ) ); Q_strncpyz( mapName, COM_SkipPath( cl.mapname ), sizeof( cl.mapname ) );
COM_StripExtension( mapName, mapName ); COM_StripExtension(mapName, mapName, sizeof(mapName));
Cbuf_ExecuteText( EXEC_NOW, Cbuf_ExecuteText( EXEC_NOW,
va( "record %s-%s-%s", nowString, serverName, mapName ) ); va( "record %s-%s-%s", nowString, serverName, mapName ) );

4
code/q3_ui/ui_playermodel.c
View file

@ -391,7 +391,7 @@ static void PlayerModel_BuildList( void )
int numfiles; int numfiles;
char dirlist[2048]; char dirlist[2048];
char filelist[2048]; char filelist[2048];
char skinname[64]; char skinname[MAX_QPATH];
char* dirptr; char* dirptr;
char* fileptr; char* fileptr;
int i; int i;
@ -424,7 +424,7 @@ static void PlayerModel_BuildList( void )
{ {
filelen = strlen(fileptr); filelen = strlen(fileptr);
COM_StripExtension(fileptr,skinname); COM_StripExtension(fileptr,skinname, sizeof(skinname));
// look for icon_???? // look for icon_????
if (!Q_stricmpn(skinname,"icon_",5)) if (!Q_stricmpn(skinname,"icon_",5))

4
code/q3_ui/ui_players.c
View file

@ -89,13 +89,13 @@ tryagain:
if ( weaponNum == WP_MACHINEGUN || weaponNum == WP_GAUNTLET || weaponNum == WP_BFG ) { if ( weaponNum == WP_MACHINEGUN || weaponNum == WP_GAUNTLET || weaponNum == WP_BFG ) {
strcpy( path, item->world_model[0] ); strcpy( path, item->world_model[0] );
COM_StripExtension( path, path ); COM_StripExtension( path, path, sizeof(path) );
strcat( path, "_barrel.md3" ); strcat( path, "_barrel.md3" );
pi->barrelModel = trap_R_RegisterModel( path ); pi->barrelModel = trap_R_RegisterModel( path );
} }
strcpy( path, item->world_model[0] ); strcpy( path, item->world_model[0] );
COM_StripExtension( path, path ); COM_StripExtension( path, path, sizeof(path) );
strcat( path, "_flash.md3" ); strcat( path, "_flash.md3" );
pi->flashModel = trap_R_RegisterModel( path ); pi->flashModel = trap_R_RegisterModel( path );

2
code/q3_ui/ui_saveconfig.c
View file

@ -85,7 +85,7 @@ static void UI_SaveConfigMenu_SaveEvent( void *ptr, int event ) {
return; return;
} }
COM_StripExtension(saveConfig.savename.field.buffer, configname ); COM_StripExtension(saveConfig.savename.field.buffer, configname, sizeof(configname));
trap_Cmd_ExecuteText( EXEC_APPEND, va( "writeconfig %s.cfg\n", configname ) ); trap_Cmd_ExecuteText( EXEC_APPEND, va( "writeconfig %s.cfg\n", configname ) );
UI_PopMenu(); UI_PopMenu();
} }

2
code/qcommon/files.c
View file

@ -3451,7 +3451,7 @@ void FS_FilenameCompletion( const char *dir, const char *ext,
Q_strncpyz( filename, filenames[ i ], MAX_STRING_CHARS ); Q_strncpyz( filename, filenames[ i ], MAX_STRING_CHARS );
if( stripExt ) { if( stripExt ) {
COM_StripExtension( filename, filename ); COM_StripExtension(filename, filename, sizeof(filename));
} }
callback( filename ); callback( filename );

4
code/qcommon/q_shared.c
View file

@ -58,10 +58,10 @@ char *COM_SkipPath (char *pathname)
COM_StripExtension COM_StripExtension
============ ============
*/ */
void COM_StripExtension( const char *in, char *out ) { void COM_StripExtension( const char *in, char *out, int destsize ) {
int length; int length;
strcpy( out, in ); Q_strncpyz(out, in, destsize);
length = strlen(out)-1; length = strlen(out)-1;
while (length > 0 && out[length] != '.') while (length > 0 && out[length] != '.')

2
code/qcommon/q_shared.h
View file

@ -588,7 +588,7 @@ int Q_isnan( float x );
float Com_Clamp( float min, float max, float value ); float Com_Clamp( float min, float max, float value );
char *COM_SkipPath( char *pathname ); char *COM_SkipPath( char *pathname );
void COM_StripExtension( const char *in, char *out ); void COM_StripExtension(const char *in, char *out, int destsize);
void COM_DefaultExtension( char *path, int maxSize, const char *extension ); void COM_DefaultExtension( char *path, int maxSize, const char *extension );
void COM_BeginParseSession( const char *name ); void COM_BeginParseSession( const char *name );

2
code/qcommon/vm.c
View file

@ -230,7 +230,7 @@ void VM_LoadSymbols( vm_t *vm ) {
return; return;
} }
COM_StripExtension( vm->name, name ); COM_StripExtension(vm->name, name, sizeof(name));
Com_sprintf( symbols, sizeof( symbols ), "vm/%s.map", name ); Com_sprintf( symbols, sizeof( symbols ), "vm/%s.map", name );
len = FS_ReadFile( symbols, (void **)&mapfile ); len = FS_ReadFile( symbols, (void **)&mapfile );
if ( !mapfile ) { if ( !mapfile ) {

2
code/renderer/tr_bsp.c
View file

@ -1823,7 +1823,7 @@ void RE_LoadWorldMap( const char *name ) {
Q_strncpyz( s_worldData.name, name, sizeof( s_worldData.name ) ); Q_strncpyz( s_worldData.name, name, sizeof( s_worldData.name ) );
Q_strncpyz( s_worldData.baseName, COM_SkipPath( s_worldData.name ), sizeof( s_worldData.name ) ); Q_strncpyz( s_worldData.baseName, COM_SkipPath( s_worldData.name ), sizeof( s_worldData.name ) );
COM_StripExtension( s_worldData.baseName, s_worldData.baseName ); COM_StripExtension(s_worldData.baseName, s_worldData.baseName, sizeof(s_worldData.baseName));
startMarker = ri.Hunk_Alloc(0, h_low); startMarker = ri.Hunk_Alloc(0, h_low);
c_gridVerts = 0; c_gridVerts = 0;

6
code/renderer/tr_shader.c
View file

@ -95,7 +95,7 @@ void R_RemapShader(const char *shaderName, const char *newShaderName, const char
// remap all the shaders with the given name // remap all the shaders with the given name
// even tho they might have different lightmaps // even tho they might have different lightmaps
COM_StripExtension( shaderName, strippedName ); COM_StripExtension(shaderName, strippedName, sizeof(strippedName));
hash = generateHashValue(strippedName, FILE_HASH_SIZE); hash = generateHashValue(strippedName, FILE_HASH_SIZE);
for (sh = hashTable[hash]; sh; sh = sh->next) { for (sh = hashTable[hash]; sh; sh = sh->next) {
if (Q_stricmp(sh->name, strippedName) == 0) { if (Q_stricmp(sh->name, strippedName) == 0) {
@ -2365,7 +2365,7 @@ shader_t *R_FindShaderByName( const char *name ) {
return tr.defaultShader; return tr.defaultShader;
} }
COM_StripExtension( name, strippedName ); COM_StripExtension(name, strippedName, sizeof(strippedName));
hash = generateHashValue(strippedName, FILE_HASH_SIZE); hash = generateHashValue(strippedName, FILE_HASH_SIZE);
@ -2433,7 +2433,7 @@ shader_t *R_FindShader( const char *name, int lightmapIndex, qboolean mipRawImag
lightmapIndex = LIGHTMAP_BY_VERTEX; lightmapIndex = LIGHTMAP_BY_VERTEX;
} }
COM_StripExtension( name, strippedName ); COM_StripExtension(name, strippedName, sizeof(strippedName));
hash = generateHashValue(strippedName, FILE_HASH_SIZE); hash = generateHashValue(strippedName, FILE_HASH_SIZE);

4
code/ui/ui_main.c
View file

@ -4958,7 +4958,7 @@ static void UI_BuildQ3Model_List( void )
int numfiles; int numfiles;
char dirlist[2048]; char dirlist[2048];
char filelist[2048]; char filelist[2048];
char skinname[64]; char skinname[MAX_QPATH];
char scratch[256]; char scratch[256];
char* dirptr; char* dirptr;
char* fileptr; char* fileptr;
@ -4988,7 +4988,7 @@ static void UI_BuildQ3Model_List( void )
{ {
filelen = strlen(fileptr); filelen = strlen(fileptr);
COM_StripExtension(fileptr,skinname); COM_StripExtension(fileptr, skinname, sizeof(skinname));
// look for icon_???? // look for icon_????
if (Q_stricmpn(skinname, "icon_", 5) == 0 && !(Q_stricmp(skinname,"icon_blue") == 0 || Q_stricmp(skinname,"icon_red") == 0)) if (Q_stricmpn(skinname, "icon_", 5) == 0 && !(Q_stricmp(skinname,"icon_blue") == 0 || Q_stricmp(skinname,"icon_red") == 0))

4
code/ui/ui_players.c
View file

@ -90,13 +90,13 @@ tryagain:
if ( weaponNum == WP_MACHINEGUN || weaponNum == WP_GAUNTLET || weaponNum == WP_BFG ) { if ( weaponNum == WP_MACHINEGUN || weaponNum == WP_GAUNTLET || weaponNum == WP_BFG ) {
strcpy( path, item->world_model[0] ); strcpy( path, item->world_model[0] );
COM_StripExtension( path, path ); COM_StripExtension(path, path, sizeof(path));
strcat( path, "_barrel.md3" ); strcat( path, "_barrel.md3" );
pi->barrelModel = trap_R_RegisterModel( path ); pi->barrelModel = trap_R_RegisterModel( path );
} }
strcpy( path, item->world_model[0] ); strcpy( path, item->world_model[0] );
COM_StripExtension( path, path ); COM_StripExtension(path, path, sizeof(path));
strcat( path, "_flash.md3" ); strcat( path, "_flash.md3" );
pi->flashModel = trap_R_RegisterModel( path ); pi->flashModel = trap_R_RegisterModel( path );