* Fix to multiple buffer overflow bugs in CL_Rcon_f

* Fix to COM_ParseExt 1 byte overwrite bug * Fixed some missing calls to trap_FS_FCloseFile * Fixed q3msgboom and q3infoboom bugs * Fixed some qboolean type confusion * Above fixes from http://www.quakesrc.org/forums/viewtopic.php?t=5374
2024-12-13 21:51:09 +00:00 · 2005-09-19 17:45:29 +00:00 · 2005-09-19 17:45:29 +00:00 · 33a48a0336
commit 33a48a0336
parent b185817285
9 changed files with 26 additions and 19 deletions
--- a/code/cgame/cg_players.c
+++ b/code/cgame/cg_players.c
@ -107,6 +107,7 @@ static qboolean	CG_ParseAnimationFile( const char *filename, clientInfo_t *ci )
 	}
 	if ( len >= sizeof( text ) - 1 ) {
 		CG_Printf( "File %s too long\n", filename );
+		trap_FS_FCloseFile( f );
 		return qfalse;
 	}
 	trap_FS_Read( text, len, f );
--- a/code/client/cl_keys.c
+++ b/code/client/cl_keys.c
@ -42,7 +42,7 @@ int			chat_playerNum;

 qboolean	key_overstrikeMode;

-qboolean	anykeydown;
+int				anykeydown;
 qkey_t		keys[MAX_KEYS];


@ -1238,7 +1238,7 @@ void Key_ClearStates (void)
 {
 	int		i;

-	anykeydown = qfalse;
+	anykeydown = 0;

 	for ( i=0 ; i < MAX_KEYS ; i++ ) {
 		if ( keys[i].down ) {
--- a/code/client/cl_main.c
+++ b/code/client/cl_main.c
@ -1090,6 +1090,7 @@ void CL_Connect_f( void ) {
 	Cvar_Set( "cl_currentServerAddress", server );
 }

+#define MAX_RCON_MESSAGE 1024

 /*
 =====================
@ -1100,7 +1101,7 @@ CL_Rcon_f
 =====================
 */
 void CL_Rcon_f( void ) {
-	char	message[1024];
+	char	message[MAX_RCON_MESSAGE];
 	netadr_t	to;

 	if ( !rcon_client_password->string ) {
@ -1115,13 +1116,13 @@ void CL_Rcon_f( void ) {
 	message[3] = -1;
 	message[4] = 0;

-	strcat (message, "rcon ");
+	Q_strcat (message, MAX_RCON_MESSAGE, "rcon ");

-	strcat (message, rcon_client_password->string);
-	strcat (message, " ");
+	Q_strcat (message, MAX_RCON_MESSAGE, rcon_client_password->string);
+	Q_strcat (message, MAX_RCON_MESSAGE, " ");

 	// https://zerowing.idsoftware.com/bugzilla/show_bug.cgi?id=543
-	strcat (message, Cmd_Cmd()+5);
+	Q_strcat (message, MAX_RCON_MESSAGE, Cmd_Cmd()+5);

 	if ( cls.state >= CA_CONNECTED ) {
 		to = clc.netchan.remoteAddress;
--- a/code/client/keys.h
+++ b/code/client/keys.h
@ -43,7 +43,7 @@ extern	field_t	historyEditLines[COMMAND_HISTORY];

 extern	field_t	g_consoleField;
 extern	field_t	chatField;
-extern	qboolean	anykeydown;
+extern	int				anykeydown;
 extern	qboolean	chat_team;
 extern	int			chat_playerNum;

--- a/code/game/q_shared.c
+++ b/code/game/q_shared.c
@ -453,7 +453,7 @@ char *COM_ParseExt( char **data_p, qboolean allowLineBreaks )
 				*data_p = ( char * ) data;
 				return com_token;
 			}
-			if (len < MAX_TOKEN_CHARS)
+			if (len < MAX_TOKEN_CHARS - 1)
 			{
 				com_token[len] = c;
 				len++;
@ -464,7 +464,7 @@ char *COM_ParseExt( char **data_p, qboolean allowLineBreaks )
 	// parse a regular word
 	do
 	{
-		if (len < MAX_TOKEN_CHARS)
+		if (len < MAX_TOKEN_CHARS - 1)
 		{
 			com_token[len] = c;
 			len++;
@ -475,11 +475,6 @@ char *COM_ParseExt( char **data_p, qboolean allowLineBreaks )
 			com_lines++;
 	} while (c>32);

-	if (len == MAX_TOKEN_CHARS)
-	{
-//		Com_Printf ("Token exceeded %i chars, discarded.\n", MAX_TOKEN_CHARS);
-		len = 0;
-	}
 	com_token[len] = 0;

 	*data_p = ( char * ) data;
@ -1192,7 +1187,7 @@ void Info_SetValueForKey( char *s, const char *key, const char *value ) {

 	Com_sprintf (newi, sizeof(newi), "\\%s\\%s", key, value);

-	if (strlen(newi) + strlen(s) > MAX_INFO_STRING)
+	if (strlen(newi) + strlen(s) >= MAX_INFO_STRING)
 	{
 		Com_Printf ("Info string length exceeded\n");
 		return;
@ -1240,7 +1235,7 @@ void Info_SetValueForKey_Big( char *s, const char *key, const char *value ) {

 	Com_sprintf (newi, sizeof(newi), "\\%s\\%s", key, value);

-	if (strlen(newi) + strlen(s) > BIG_INFO_STRING)
+	if (strlen(newi) + strlen(s) >= BIG_INFO_STRING)
 	{
 		Com_Printf ("BIG Info string length exceeded\n");
 		return;
--- a/code/q3_ui/ui_players.c
+++ b/code/q3_ui/ui_players.c
@ -943,6 +943,7 @@ static qboolean UI_ParseAnimationFile( const char *filename, animation_t *animat
 	}
 	if ( len >= ( sizeof( text ) - 1 ) ) {
 		Com_Printf( "File %s too long\n", filename );
+		trap_FS_FCloseFile( f );
 		return qfalse;
 	}
 	trap_FS_Read( text, len, f );
--- a/code/qcommon/files.c
+++ b/code/qcommon/files.c
@ -950,11 +950,11 @@ qboolean FS_FilenameCompare( const char *s1, const char *s2 ) {
 		}
 		
 		if (c1 != c2) {
-			return -1;		// strings not equal
+			return qtrue;		// strings not equal
 		}
 	} while (c1);
 	
-	return 0;		// strings are equal
+	return qfalse;		// strings are equal
 }

 /*
--- a/code/server/sv_main.c
+++ b/code/server/sv_main.c
@ -172,6 +172,14 @@ void QDECL SV_SendServerCommand(client_t *cl, const char *fmt, ...) {
 	Q_vsnprintf ((char *)message, sizeof(message), fmt,argptr);
 	va_end (argptr);

+	// Fix to http://aluigi.altervista.org/adv/q3msgboom-adv.txt
+	// The actual cause of the bug is probably further downstream
+	// and should maybe be addressed later, but this certainly
+	// fixes the problem for now
+	if ( strlen ((char *)message) > 1022 ) {
+		return;
+	}
+
 	if ( cl != NULL ) {
 		SV_AddServerCommand( cl, (char *)message );
 		return;
--- a/code/ui/ui_players.c
+++ b/code/ui/ui_players.c
@ -1040,6 +1040,7 @@ static qboolean UI_ParseAnimationFile( const char *filename, animation_t *animat
 	}
 	if ( len >= ( sizeof( text ) - 1 ) ) {
 		Com_Printf( "File %s too long\n", filename );
+		trap_FS_FCloseFile( f );
 		return qfalse;
 	}
 	trap_FS_Read( text, len, f );