[openjk] 03/24: savegames: bounds-check some string lengths to prevent buffer overflow
Simon McVittie
smcv at debian.org
Sat Jan 21 21:44:00 UTC 2017
This is an automated email from the git hooks/post-receive script.
smcv pushed a commit to branch debian/master
in repository openjk.
commit 9aea7956e06c06e8ac0f7ed813c0e481da1a7779
Author: Simon McVittie <smcv at debian.org>
Date: Fri Oct 28 11:37:21 2016 +0100
savegames: bounds-check some string lengths to prevent buffer overflow
---
code/game/G_Timer.cpp | 17 ++++++++++++-----
code/game/Q3_Interface.cpp | 15 +++++++++++++++
code/game/g_roff.cpp | 3 +++
code/icarus/IcarusImplementation.cpp | 34 ++++++++++++++++++++++++----------
codeJK2/game/Q3_Registers.cpp | 15 +++++++++++++++
codeJK2/game/g_roff.cpp | 5 +++++
6 files changed, 74 insertions(+), 15 deletions(-)
diff --git a/code/game/G_Timer.cpp b/code/game/G_Timer.cpp
index d72f525..192594d 100644
--- a/code/game/G_Timer.cpp
+++ b/code/game/G_Timer.cpp
@@ -243,12 +243,19 @@ void TIMER_Load( void )
const char* sg_buffer_data = static_cast<const char*>(
saved_game.get_buffer_data());
- const int sg_buffer_size = saved_game.get_buffer_size();
+ int sg_buffer_size = saved_game.get_buffer_size();
- std::uninitialized_copy_n(
- sg_buffer_data,
- sg_buffer_size,
- tempBuffer);
+ if (sg_buffer_size < 0 || static_cast<size_t>(sg_buffer_size) >= sizeof(tempBuffer))
+ {
+ sg_buffer_size = 0;
+ }
+ else
+ {
+ std::uninitialized_copy_n(
+ sg_buffer_data,
+ sg_buffer_size,
+ tempBuffer);
+ }
tempBuffer[sg_buffer_size] = '\0';
diff --git a/code/game/Q3_Interface.cpp b/code/game/Q3_Interface.cpp
index 56feeeb..2c740d4 100644
--- a/code/game/Q3_Interface.cpp
+++ b/code/game/Q3_Interface.cpp
@@ -7326,6 +7326,11 @@ void CQuake3GameInterface::VariableLoadFloats( varFloat_m &fmap )
INT_ID('F', 'I', 'D', 'L'),
idSize);
+ if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer))
+ {
+ idSize = 0;
+ }
+
saved_game.read_chunk(
INT_ID('F', 'I', 'D', 'S'),
tempBuffer,
@@ -7371,6 +7376,11 @@ void CQuake3GameInterface::VariableLoadStrings( int type, varString_m &fmap )
INT_ID('S', 'I', 'D', 'L'),
idSize);
+ if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer))
+ {
+ idSize = 0;
+ }
+
saved_game.read_chunk(
INT_ID('S', 'I', 'D', 'S'),
tempBuffer,
@@ -7382,6 +7392,11 @@ void CQuake3GameInterface::VariableLoadStrings( int type, varString_m &fmap )
INT_ID('S', 'V', 'S', 'Z'),
idSize);
+ if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer2))
+ {
+ idSize = 0;
+ }
+
saved_game.read_chunk(
INT_ID('S', 'V', 'A', 'L'),
tempBuffer2,
diff --git a/code/game/g_roff.cpp b/code/game/g_roff.cpp
index fe1f79f..9ec25ad 100644
--- a/code/game/g_roff.cpp
+++ b/code/game/g_roff.cpp
@@ -703,6 +703,9 @@ void G_LoadCachedRoffs()
INT_ID('S', 'L', 'E', 'N'),
len);
+ if (len < 0 || static_cast<size_t>(len) >= sizeof(buffer))
+ len = 0;
+
saved_game.read_chunk(
INT_ID('R', 'S', 'T', 'R'),
buffer,
diff --git a/code/icarus/IcarusImplementation.cpp b/code/icarus/IcarusImplementation.cpp
index 26004b3..7d2fc8f 100644
--- a/code/icarus/IcarusImplementation.cpp
+++ b/code/icarus/IcarusImplementation.cpp
@@ -716,12 +716,19 @@ int CIcarus::Load()
const unsigned char* sg_buffer_data = static_cast<const unsigned char*>(
saved_game.get_buffer_data());
- const int sg_buffer_size = saved_game.get_buffer_size();
+ int sg_buffer_size = saved_game.get_buffer_size();
- std::uninitialized_copy_n(
- sg_buffer_data,
- sg_buffer_size,
- m_byBuffer);
+ if (sg_buffer_size < 0 || static_cast<size_t>(sg_buffer_size) >= sizeof(m_byBuffer))
+ {
+ sg_buffer_size = 0;
+ }
+ else
+ {
+ std::uninitialized_copy_n(
+ sg_buffer_data,
+ sg_buffer_size,
+ m_byBuffer);
+ }
//Load all signals
if ( LoadSignals() == false )
@@ -849,12 +856,19 @@ void CIcarus::BufferRead( void *pDstBuff, unsigned long ulNumBytesToRead )
const unsigned char* sg_buffer_data = static_cast<const unsigned char*>(
saved_game.get_buffer_data());
- const int sg_buffer_size = saved_game.get_buffer_size();
+ int sg_buffer_size = saved_game.get_buffer_size();
- std::uninitialized_copy_n(
- sg_buffer_data,
- sg_buffer_size,
- m_byBuffer);
+ if (sg_buffer_size < 0 || static_cast<size_t>(sg_buffer_size) >= sizeof(m_byBuffer))
+ {
+ sg_buffer_size = 0;
+ }
+ else
+ {
+ std::uninitialized_copy_n(
+ sg_buffer_data,
+ sg_buffer_size,
+ m_byBuffer);
+ }
m_ulBytesRead = 0; //reset buffer
}
diff --git a/codeJK2/game/Q3_Registers.cpp b/codeJK2/game/Q3_Registers.cpp
index 7797b5f..25c99cd 100644
--- a/codeJK2/game/Q3_Registers.cpp
+++ b/codeJK2/game/Q3_Registers.cpp
@@ -408,6 +408,11 @@ void Q3_VariableLoadFloats( varFloat_m &fmap )
INT_ID('F', 'I', 'D', 'L'),
idSize);
+ if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer))
+ {
+ idSize = 0;
+ }
+
saved_game.read_chunk(
INT_ID('F', 'I', 'D', 'S'),
tempBuffer,
@@ -453,6 +458,11 @@ void Q3_VariableLoadStrings( int type, varString_m &fmap )
INT_ID('S', 'I', 'D', 'L'),
idSize);
+ if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer))
+ {
+ idSize = 0;
+ }
+
saved_game.read_chunk(
INT_ID('S', 'I', 'D', 'S'),
tempBuffer,
@@ -464,6 +474,11 @@ void Q3_VariableLoadStrings( int type, varString_m &fmap )
INT_ID('S', 'V', 'S', 'Z'),
idSize);
+ if (idSize < 0 || static_cast<size_t>(idSize) >= sizeof(tempBuffer2))
+ {
+ idSize = 0;
+ }
+
saved_game.read_chunk(
INT_ID('S', 'V', 'A', 'L'),
tempBuffer2,
diff --git a/codeJK2/game/g_roff.cpp b/codeJK2/game/g_roff.cpp
index 7eb1bd1..b5c0240 100644
--- a/codeJK2/game/g_roff.cpp
+++ b/codeJK2/game/g_roff.cpp
@@ -678,6 +678,11 @@ void G_LoadCachedRoffs()
INT_ID('S', 'L', 'E', 'N'),
len);
+ if (len < 0 || static_cast<size_t>(len) >= sizeof(buffer))
+ {
+ len = 0;
+ }
+
saved_game.read_chunk(
INT_ID('R', 'S', 'T', 'R'),
buffer,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/openjk.git
More information about the Pkg-games-commits
mailing list