From 740c8d021ba4466076d1f755c8023656b40ffe66 Mon Sep 17 00:00:00 2001 From: helixhorned Date: Mon, 18 Feb 2013 16:07:56 +0000 Subject: [PATCH] CON qsprintf: fix specifying more than one "%s" conversion. Also, slightly better, though still inadequate checking. git-svn-id: https://svn.eduke32.com/eduke32@3506 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/source/gameexec.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/polymer/eduke32/source/gameexec.c b/polymer/eduke32/source/gameexec.c index 5199811f5..92f4eeebe 100644 --- a/polymer/eduke32/source/gameexec.c +++ b/polymer/eduke32/source/gameexec.c @@ -3491,12 +3491,13 @@ nullquote: } { - int32_t arg[32], i = 0, j = 0, k = 0; + int32_t arg[32], i = 0, j = 0, k = 0, numargs; int32_t len = Bstrlen(ScriptQuotes[sq]); char tempbuf[MAXQUOTELEN]; while ((*insptr & 0xFFF) != CON_NULLOP && i < 32) arg[i++] = Gv_GetVarX(*insptr++); + numargs = i; insptr++; // skip the NOP @@ -3524,8 +3525,10 @@ nullquote: case 'd': { char buf[16]; - int32_t ii = 0; + int32_t ii; + if (i >= numargs) + goto finish_qsprintf; Bsprintf(buf, "%d", arg[i++]); ii = Bstrlen(buf); @@ -3537,10 +3540,15 @@ nullquote: case 's': { - int32_t ii = Bstrlen(ScriptQuotes[arg[i]]); + int32_t ii; + + if (i >= numargs) + goto finish_qsprintf; + ii = Bstrlen(ScriptQuotes[arg[i]]); Bmemcpy(&tempbuf[j], ScriptQuotes[arg[i]], ii); j += ii; + i++; k++; } break; @@ -3552,9 +3560,9 @@ nullquote: } } while (k < len && j < MAXQUOTELEN); - +finish_qsprintf: tempbuf[j] = '\0'; - Bstrcpy(ScriptQuotes[dq], tempbuf); + Bstrncpyz(ScriptQuotes[dq], tempbuf, MAXQUOTELEN); continue; } }