This is an automated email from the git hooks/post-receive script. smcv pushed a commit to branch debian/master in repository openjk.
commit 9aea7956e06c06e8ac0f7ed813c0e481da1a7779 Author: Simon McVittie <[email protected]> Date: Fri Oct 28 11:37:21 2016 +0100 savegames: bounds-check some string lengths to prevent buffer overflow --- code/game/G_Timer.cpp | 17 ++++++++++++----- code/game/Q3_Interface.cpp | 15 +++++++++++++++ code/game/g_roff.cpp | 3 +++ code/icarus/IcarusImplementation.cpp | 34 ++++++++++++++++++++++++---------- codeJK2/game/Q3_Registers.cpp | 15 +++++++++++++++ codeJK2/game/g_roff.cpp | 5 +++++ 6 files changed, 74 insertions(+), 15 deletions(-) diff --git a/code/game/G_Timer.cpp b/code/game/G_Timer.cpp index d72f525..192594d 100644 --- a/code/game/G_Timer.cpp +++ b/code/game/G_Timer.cpp @@ -243,12 +243,19 @@ void TIMER_Load( void ) const char* sg_buffer_data = static_cast<const char*>( saved_game.get_buffer_data()); - const int sg_buffer_size = saved_game.get_buffer_size(); + int sg_buffer_size = saved_game.get_buffer_size(); - std::uninitialized_copy_n( - sg_buffer_data, - sg_buffer_size, - tempBuffer); + if (sg_buffer_size < 0 || static_cast<size_t>(sg_buffer_size) >= sizeof(tempBuffer)) + { + sg_buffer_size = 0; + } + else + { + std::uninitialized_copy_n( + sg_buffer_data, + sg_buffer_size, + tempBuffer); + } tempBuffer[sg_buffer_size] = '\0'; diff --git a/code/game/Q3_Interface.cpp b/code/game/Q3_Interface.cpp index 56feeeb..2c740d4 100644 --- a/code/game/Q3_Interface.cpp +++ b/code/game/Q3_Interface.cpp @@ -7326,6 +7326,11 @@ void CQuake3GameInterface::VariableLoadFloats( varFloat_m &fmap ) INT_ID('F', 'I', 'D', 'L'), idSize); + if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer)) + { + idSize = 0; + } + saved_game.read_chunk( INT_ID('F', 'I', 'D', 'S'), tempBuffer, @@ -7371,6 +7376,11 @@ void CQuake3GameInterface::VariableLoadStrings( int type, varString_m &fmap ) INT_ID('S', 'I', 'D', 'L'), idSize); + if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer)) + { + idSize = 0; + } + saved_game.read_chunk( INT_ID('S', 'I', 'D', 'S'), tempBuffer, @@ -7382,6 +7392,11 @@ void CQuake3GameInterface::VariableLoadStrings( int type, varString_m &fmap ) INT_ID('S', 'V', 'S', 'Z'), idSize); + if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer2)) + { + idSize = 0; + } + saved_game.read_chunk( INT_ID('S', 'V', 'A', 'L'), tempBuffer2, diff --git a/code/game/g_roff.cpp b/code/game/g_roff.cpp index fe1f79f..9ec25ad 100644 --- a/code/game/g_roff.cpp +++ b/code/game/g_roff.cpp @@ -703,6 +703,9 @@ void G_LoadCachedRoffs() INT_ID('S', 'L', 'E', 'N'), len); + if (len < 0 || static_cast<size_t>(len) >= sizeof(buffer)) + len = 0; + saved_game.read_chunk( INT_ID('R', 'S', 'T', 'R'), buffer, diff --git a/code/icarus/IcarusImplementation.cpp b/code/icarus/IcarusImplementation.cpp index 26004b3..7d2fc8f 100644 --- a/code/icarus/IcarusImplementation.cpp +++ b/code/icarus/IcarusImplementation.cpp @@ -716,12 +716,19 @@ int CIcarus::Load() const unsigned char* sg_buffer_data = static_cast<const unsigned char*>( saved_game.get_buffer_data()); - const int sg_buffer_size = saved_game.get_buffer_size(); + int sg_buffer_size = saved_game.get_buffer_size(); - std::uninitialized_copy_n( - sg_buffer_data, - sg_buffer_size, - m_byBuffer); + if (sg_buffer_size < 0 || static_cast<size_t>(sg_buffer_size) >= sizeof(m_byBuffer)) + { + sg_buffer_size = 0; + } + else + { + std::uninitialized_copy_n( + sg_buffer_data, + sg_buffer_size, + m_byBuffer); + } //Load all signals if ( LoadSignals() == false ) @@ -849,12 +856,19 @@ void CIcarus::BufferRead( void *pDstBuff, unsigned long ulNumBytesToRead ) const unsigned char* sg_buffer_data = static_cast<const unsigned char*>( saved_game.get_buffer_data()); - const int sg_buffer_size = saved_game.get_buffer_size(); + int sg_buffer_size = saved_game.get_buffer_size(); - std::uninitialized_copy_n( - sg_buffer_data, - sg_buffer_size, - m_byBuffer); + if (sg_buffer_size < 0 || static_cast<size_t>(sg_buffer_size) >= sizeof(m_byBuffer)) + { + sg_buffer_size = 0; + } + else + { + std::uninitialized_copy_n( + sg_buffer_data, + sg_buffer_size, + m_byBuffer); + } m_ulBytesRead = 0; //reset buffer } diff --git a/codeJK2/game/Q3_Registers.cpp b/codeJK2/game/Q3_Registers.cpp index 7797b5f..25c99cd 100644 --- a/codeJK2/game/Q3_Registers.cpp +++ b/codeJK2/game/Q3_Registers.cpp @@ -408,6 +408,11 @@ void Q3_VariableLoadFloats( varFloat_m &fmap ) INT_ID('F', 'I', 'D', 'L'), idSize); + if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer)) + { + idSize = 0; + } + saved_game.read_chunk( INT_ID('F', 'I', 'D', 'S'), tempBuffer, @@ -453,6 +458,11 @@ void Q3_VariableLoadStrings( int type, varString_m &fmap ) INT_ID('S', 'I', 'D', 'L'), idSize); + if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer)) + { + idSize = 0; + } + saved_game.read_chunk( INT_ID('S', 'I', 'D', 'S'), tempBuffer, @@ -464,6 +474,11 @@ void Q3_VariableLoadStrings( int type, varString_m &fmap ) INT_ID('S', 'V', 'S', 'Z'), idSize); + if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer2)) + { + idSize = 0; + } + saved_game.read_chunk( INT_ID('S', 'V', 'A', 'L'), tempBuffer2, diff --git a/codeJK2/game/g_roff.cpp b/codeJK2/game/g_roff.cpp index 7eb1bd1..b5c0240 100644 --- a/codeJK2/game/g_roff.cpp +++ b/codeJK2/game/g_roff.cpp @@ -678,6 +678,11 @@ void G_LoadCachedRoffs() INT_ID('S', 'L', 'E', 'N'), len); + if (len < 0 || static_cast<size_t>(len) >= sizeof(buffer)) + { + len = 0; + } + saved_game.read_chunk( INT_ID('R', 'S', 'T', 'R'), buffer, -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/openjk.git _______________________________________________ Pkg-games-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-games-commits
