Commit graph

3385 commits

Author SHA1 Message Date
Zack Middleton
3ad427c68d Fix q3history buffer not cleared between mods and OOB-access
Loading a 1024-byte q3history file will fill the whole consoleSaveBuffer
leaving no space for a string terminator. Com_Parse will read at least
one byte beyond the end of consoleSaveBuffer. The written console
history file can only be 1023 bytes (enforced by Q_strcat) so don't
allow loading size of 1024.

If switching to a mod with a shorter q3history file, the data in
consoleSaveBuffer that isn't overwritten will be parsed. So always
add a string terminator.

String not terminated reported by David "devnexen" CARLIER.
2018-04-09 02:20:49 -05:00
Zack Middleton
699cbed7c7 Fix mouse grab after toggling fullscreen
cls.glconfig.isFullscreen was not updated when changing r_fullscreen
without a vid_restart. Starting in fullscreen and switching to
windowed mode would not release the mouse.

Mods calling trap_GetGlconfig() after a fullscreen toggle now get
the correct value for isFullscreen. (Note: Mods already got the
correct value at start up and after vid_restart.)

Reported by Mickaël "mickael9" Thomas.
2018-04-09 00:05:43 -05:00
Mickaël Thomas
e986384fde Maximize cURL buffer size
Allows higher download throughput (from ~2 MB/s to ~60 MB/s at 120FPS)

This has no effect for curl versions older than 7.53.0 (for which the
buffer can only be shrunk below 16k)
2018-04-08 22:40:37 -05:00
IR4T4
63e59a4591 Fix the behaviour of CVAR_LATCH|CVAR_CHEAT cvars
Fix the output/behaviour of CVAR_CHEAT flagged cvars in case they are
also of type CVAR_LATCH (avoid the early latch case return to make it
work as intended).
2018-04-08 22:08:04 -05:00
Dominic Fandrey
b8ee77cecc Avoid srcList[-1] in snd_openal.c 2018-04-08 21:41:31 -05:00
Dominic Fandrey
a740ba47dd OpenGL1: Decay float[8] to float * in tr_marks.c 2018-04-08 21:41:31 -05:00
Dominic Fandrey
bf4c7a0341 Add missing address operator in cm_polylib.c
Also avoid nullptr dereference.
2018-04-08 21:41:31 -05:00
Dominic Fandrey
3a702ded65 Fix signed bit operations in MSG_ReadBits 2018-04-08 21:41:31 -05:00
Dominic Fandrey
62cec249d7 Fix shift into sign in cl_cin.c 2018-04-08 21:41:31 -05:00
Zack Middleton
ae9edd1491 Fix shifting bits out of byte in tr_font.c
Found using LLVM sanitizer. Reported by Dominic "lonkamikaze" Fandrey.
2018-04-08 21:41:31 -05:00
Dominic Fandrey
a494edeb94 Fix undefined behaviour due to shifting signed in snd_mem.c 2018-04-08 21:41:26 -05:00
Zack Middleton
4ea0eebfe5 Fix nullptr dereference in front of nullptr check in FS_CheckPak0
Found using LLVM sanitizer. Reported by Dominic "lonkamikaze" Fandrey
and David "devnexen" CARLIER.
2018-04-08 20:56:08 -05:00
Eugene C
9f294ce520 Fix MSG_Read*String*() functions not being able to read last byte from message
This is exact root of q3msgboom bug http://aluigi.altervista.org/adv/q3msgboom-adv.txt
Unfortunately, server still need this ugly '1022 char limit' hack to support unfixed clients in some degree.
And as it affects MSG_ReadBigString() - unfixed clients can still be crashed by 8191-chars long configstrings that comes with gamestate
2018-04-03 22:36:24 -05:00
Zack Middleton
3bf48877f3 Fix "Going to CS_ZOMBIE for [clientname]" developer message
Client name was cleared before printing the message resulting in
a blank name.
2018-04-03 21:37:59 -05:00
Zack Middleton
b61e2998f3 Fix exploit to reset player by sending wrong serverId
If client sends wrong serverId but is already active in the world
(CS_ACTIVE) don't resend initial gamestate for the map. This isn't a
valid situation. The player should be CS_CONNECTED or CS_PRIMED.

Resending gamestate to an active player will cause them to respawn
without dying or disconnecting. If the player had a CTF flag it gets
lost until the map is changed or restarted.

Reported by Ensiform at:

    https://bugzilla.icculus.org/show_bug.cgi?id=6324
2018-04-03 21:37:15 -05:00
Zack Middleton
1284205012 Remove duplicate setting of FREETYPE_CFLAGS in Makefile 2018-04-03 20:11:53 -05:00
Zack Middleton
484149573b Allow loading system OpenAL library on macOS again
In May 2017 the library loading was limited to *.dylib but the macOS
system OpenAL framework does not have dylib extension. So allow loading
files from /System/Library/Frameworks/ as libraries even without dylib
extension.

This is checked in Sys_DllExtension() so that QVM filesystem access will
not allow writing files to /System/Library/Frameworks/ even if homepath
is changed to include it. (Admittedly it doesn't fit the function name
but fits the function description and current usage.)
2018-03-22 14:58:44 -05:00
Zachary J. Slater
9465b445b0 Feedback from the PR
minor edits based on feedback to the PR
2018-03-21 10:59:13 +00:00
Zachary J. Slater
e511c114b3 First swing at a CONTRIBUTING.md
Thanks to Timbo for the suggestion. This one is mostly based on the one
from Atom.
2018-03-21 10:59:13 +00:00
Zack Middleton
acef71af5e Rename (already updated) opusfile-0.8 to opusfile-0.9 2018-03-16 13:29:20 -05:00
Zack Middleton
58a315fe3f Update opusfile from 0.8 to 0.9 2018-03-16 13:29:20 -05:00
Zack Middleton
8611eb421d Rename (already updated) opus-1.1.4 to opus-1.2.1 2018-03-16 13:29:19 -05:00
Zack Middleton
cb24c59567 Update opus from 1.1.4 to 1.2.1 2018-03-16 13:29:19 -05:00
Zack Middleton
c38c823a2a Rename (already updated) libvorbis-1.3.5 to libvorbis-1.3.6 2018-03-16 13:29:19 -05:00
Zack Middleton
b78c6e61bf Update libvorbis from 1.3.5 to 1.3.6
* Fix CVE-2018-5146 - out-of-bounds write on codebook decoding.
* Fix CVE-2017-14632 - free() on unitialized data
* Fix CVE-2017-14633 - out-of-bounds read
2018-03-16 13:29:02 -05:00
Zack Middleton
ebd3d516ac Rename (already updated) libogg-1.3.2 to libogg-1.3.3 2018-03-16 13:11:27 -05:00
Zack Middleton
2e7900c1aa Update libogg from 1.3.2 to 1.3.3 2018-03-16 13:11:27 -05:00
Tom Murphy
af6b1f8edf Remove CON_FlushIn function and where STDIN needs flushing, use tcflush POSIX function 2018-03-14 21:43:56 +00:00
Zack Middleton
b48d902672 OpenGL1: Use glGenTextures instead of hardcoded values
It's the proper way to use the OpenGL API. It's already done in the
OpenGL2 renderer.
2018-03-13 09:17:23 -05:00
Zack Middleton
d28e667e46 Fix macOS app bundle with space in name 2018-03-04 05:16:29 -06:00
Zack Middleton
0d6edd227a Support Unicode characters greater than 0xFF in cl_consoleKeys
Unrelated: make '0x' value be -1 (invalid) instead of 0.

Reported by MAN-AT-ARMS.
2018-02-22 18:15:53 -06:00
Zack Middleton
00c3480938 OpenGL2: Fix crash when BSP has deluxe maps and vertex lit surfaces
Reported by Mickaël Thomas (mickael9).
2018-02-18 13:05:27 -06:00
Zack Middleton
d1f82ed567 Increase q3_ui .arena filename list buffer size to 4096 bytes
Allow listing about 273 .arena filenames for loading in q3_ui instead
of only about 136 that fit in a 2048 byte buffer (average 15 bytes per
file name).

The buffer for filename list runs out of space long before the buffer
for arena file content does. There is no warning for file list out of
space but there is a warning for arena file content.

This was requested by a user with many maps.
2018-02-11 15:54:05 -06:00
Zack Middleton
d4e7d987a3 Fix MAC_OS_X_VERSION_MIN_REQUIRED for macOS 10.10 and later
Manually specifying MACOSX_VERSION_MIN=10.10 or later would use the
wrong value for MAC_OS_X_VERSION_MIN_REQUIRED define. 1100 instead of
101000.
2018-02-08 10:23:44 -06:00
Thomas Köppe
3f29b8558d [qcommon] Make several zone variables and functions static. 2018-02-07 09:13:27 -06:00
Thomas Köppe
d047210aca [qcommon] Remove dead serialization code 2018-02-05 10:37:46 -06:00
Zack Middleton
71a9a5efa6 Make FS_InvalidGameDir() consider subdirectories invalid
fs_game shouldn't be a subdirectory and it simplifies the code.
2018-02-04 20:34:48 -06:00
Zack Middleton
3d6aa05694 OpenGL2: Fix dark lightmap on shader in mpteam6
Team Arena's mpteam6 map has a shader textures/base_wall2/space_concrete
that contains an opaque stage, two non-lightmap blendfunc filter stages,
a blendfunc add stage, and a lightmap stage. The lightmap was attached
to all four of the non-lightmap stages causing the filter stages to
darken the lightmap multiple times.

Change setting up the lightall GLSL shader to only use lightmap if it's
the first stage or not a blendfunc filter stage. Now only the opaque
and blendfunc add stages of the mpteam6 shader use the lightmap.

Reported by Alexander Nadeau (wareya).
2018-02-04 14:34:17 -06:00
Zack Middleton
0b6d97f849 Fix negative frag/capturelimit causing an infinite map end loop
Reported by @vloup.
2018-02-04 10:37:39 -06:00
Zack Middleton
fc16ac6bd2 Fix invalid access to cluster 0 in AAS_AreaRouteToGoalArea()
Newer versions of BSPC such as 2.1h included with the Quake 3 GPL source
code create AAS files containing areas in cluster 0 if the area has no
reachabilities.

The AAS files included with Quake 3 and Team Arena do not contain areas
in cluster 0. It's apparent that BSPC would not create them. Instead it
created clusters with no reachability areas.

It seems the intention was to check if the areanum and goalareanum have
reachable areas using AAS_AreaReachability(areanum) everywhere before
calling AAS_AreaRouteToGoalArea(). This prevents adding cluster 0 to
the routing cache and portal cache. However, it is not checked
everywhere and including some places in the Game VM.

Fix AAS_AreaRouteToGoalArea() instead of trying to wack-a-mole with all
the places that call it.

Cluster 0 access reported by Thomas Köppe (github @tkoeppe) as causing
crashes in rare cases.
2018-02-04 09:07:44 -06:00
Zack Middleton
0822772ea2 Fix timelimit causing an infinite map ending loop
A negative timelimit value or a value that would overflow the
multiplication by 60000 caused an endless map change/reload.

Based on patch and description by @vloup.
2018-02-04 09:00:08 -06:00
Zack Middleton
83119a990a Fix Q_vsnprintf for mingw-w64
By default mingw-w64 uses Microsoft's broken _vsnprintf() in msvcrt.dll.
It can be overriden by defining __USE_MINGW_ANSI_STDIO but let's just
use the same behavior for both MSVC and mingw-w64.

Reported by @birdstakes.
2018-02-04 08:04:13 -06:00
Zack Middleton
ad10e6610c Changes to systemd q3a.service
Use an absolute path as required by systemd. Distro packages will need
to change it. (Reported by @andreyv and @zeroxfourc.)
Link to server documentation on the wiki instead of maintaining a subset
in the service file.
2018-02-04 07:51:17 -06:00
Zack Middleton
df8f657f09 Fix exploit to bypass filename restrictions on Windows
Windows API ignores all trailing spaces and periods which can get around
Quake 3 file system restrictions. QVM opening 'uix86.dll.' actually
opens 'uix86.dll' which allows QVM to write native code.

This is done in the low-level Sys_FOpen() instead of the function
directly used by VMs ( FS_FOpenFileByMode() ) in case there are engine
commands now or in the future that can read or write arbitrary files.

Reported by Noah Metzger (Chomenor).
2018-01-30 07:59:25 -06:00
Zack Middleton
acce0e5452 Fix building msvc12 project
* Don't try to embed manifest (it causes build to fail because it's
  specified in win_resource.rc).
* Fix curl include path.
* Compile sys_autoupdater.c.
* Make quake3 debug link to msvcrtd.lib instead of msvcrt.lib to fix
  unresolved external symbol __imp___CrtDbgReportW.
* Fix q3_ui dll output directory.
* Fix opus path filter.
* Use UseOfMfc false and CharacterSet NotSet.
* Fix header paths and remove non-existent files.
2018-01-30 07:40:09 -06:00
Zack Middleton
738465d677 Revert my recent cvar latch changes
My cvar latch system changes prevent the Game VM from changing
g_gametype when the value is out of range due to it being registed in
the engine. It's been pointed out as fragile method of security, which
was still exploitable, by Noah Metzger (Chomenor). It doesn't seem like
this is working out to be a good solution.

The issue of fs_game '..' on server being relicated on client via
systeminfo exploit is still fixed as it's not affected by latch.
There are a few cases from current values of fs_game are used which
ideally should use fs_gamedir char array which has been validated.

Revert "Don't let VMs change engine latch cvars immediately"
Partially revert "Fix fs_game '..' reading outside of home and base path"
Revert "Fix VMs forcing engine latch cvar to update to latched value"
2018-01-21 22:45:46 -06:00
Zack Middleton
ed8d48cac3 Fix VMs forcing engine latch cvar to update to latched value
A few commits ago I stopped VM's Cvar_Set() from instantly updating
latched values. Now VM can't call Cvar_Register() afterword to force
latched value to be used.

Reported by Noah Metzger (Chomenor).
2018-01-21 19:49:16 -06:00
Zack Middleton
3638f69dff Fix fs_game '..' reading outside of home and base path
VMs could set fs_game to '..' at anytime to access files outside of home
and base path. fs_game sent by server to clients could also be '..' to
access files outside of home and base path.

'..' was not caught by FS_CheckDirTraversal() as it expects filenames
not a single directory.

I've made fs_game be latched to prevent VMs from changing it with no
good way to validate it before it's used. com_basegame and fs_basegame
are now latched as well.

Additionally, it's now possible to change com_basegame while the engine
is running. game_restart or vid_restart will make it take affect.
com_homepath is now CVAR_PROTECTED to prevent VMs from changing it
to a directory traversal.

This requires my two previous commits for preventing VMs from changing
engine latch cvars and only Cvar_Get fs_game in FS_Startup (so CVAR_INIT
isn't added in serveral other places).

Reported by Noah Metzger (Chomenor).
2018-01-21 06:02:28 -06:00
Zack Middleton
78ca670d4f Don't let VMs change engine latch cvars immediately
If a VM increases sv_maxclients while a server is running the engine
will crash. The value should be latched until engine decides to update
the cvar; the same as when a user sets it.
2018-01-21 06:02:08 -06:00
Zack Middleton
adef4e6c9e Don't register fs_game cvar everywhere just to get the value 2018-01-21 06:02:08 -06:00