[iortcw] 01/01: Fix a read buffer overflow in MSG_ReadBits (CVE-2017-11721)
Simon McVittie
smcv at debian.org
Fri Sep 8 10:35:28 UTC 2017
This is an automated email from the git hooks/post-receive script.
smcv pushed a commit to branch debian/stretch
in repository iortcw.
commit a8196d392a2d7b1e6fc6cd731fac843e21a79cf3
Author: Simon McVittie <smcv at debian.org>
Date: Tue Aug 8 09:50:11 2017 -0400
Fix a read buffer overflow in MSG_ReadBits (CVE-2017-11721)
---
debian/changelog | 8 +
...upport-for-downloading-executable-updates.patch | 2 +-
...buffer-overflow-in-MSG_ReadBits-MSG_Write.patch | 626 +++++++++++++++++++++
debian/patches/series | 1 +
4 files changed, 636 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index fd1f9c2..92409e5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+iortcw (1.50a+dfsg1-3+deb9u1) stretch-security; urgency=medium
+
+ * d/p/security/All-Fix-improve-buffer-overflow-in-MSG_ReadBits-MSG_Write.patch:
+ Add patch (from ioquake3 via upstream) to fix a read buffer overflow
+ in MSG_ReadBits (CVE-2017-11721)
+
+ -- Simon McVittie <smcv at debian.org> Tue, 08 Aug 2017 14:57:52 -0400
+
iortcw (1.50a+dfsg1-3) unstable; urgency=high
* d/gbp.conf: switch branch to debian/stretch for updates during freeze
diff --git a/debian/patches/debian/Remove-support-for-downloading-executable-updates.patch b/debian/patches/debian/Remove-support-for-downloading-executable-updates.patch
index a76ef3f..08b2190 100644
--- a/debian/patches/debian/Remove-support-for-downloading-executable-updates.patch
+++ b/debian/patches/debian/Remove-support-for-downloading-executable-updates.patch
@@ -219,7 +219,7 @@ index 28a2f5a..e5298b6 100644
// DHM - Nerve
diff --git a/MP/code/qcommon/qcommon.h b/MP/code/qcommon/qcommon.h
-index 1f23d0f..b1fff59 100644
+index 02ef8e8..96a9081 100644
--- a/MP/code/qcommon/qcommon.h
+++ b/MP/code/qcommon/qcommon.h
@@ -1258,12 +1258,6 @@ void Sys_StartProcess( char *cmdline, qboolean doexit ); // NERVE - S
diff --git a/debian/patches/security/All-Fix-improve-buffer-overflow-in-MSG_ReadBits-MSG_Write.patch b/debian/patches/security/All-Fix-improve-buffer-overflow-in-MSG_ReadBits-MSG_Write.patch
new file mode 100644
index 0000000..d7771ca
--- /dev/null
+++ b/debian/patches/security/All-Fix-improve-buffer-overflow-in-MSG_ReadBits-MSG_Write.patch
@@ -0,0 +1,626 @@
+From: MAN-AT-ARMS <M4N4T4RMS at gmail.com>
+Date: Thu, 3 Aug 2017 00:06:37 -0400
+Subject: All: Fix/improve buffer overflow in MSG_ReadBits/MSG_WriteBits
+
+Origin: upstream, commit:260c39a29af517a08b3ee1a0e78ad654bdd70934
+Bug-CVE: CVE-2017-11721
+Bug-Debian: https://bugs.debian.org/870811
+---
+ MP/code/qcommon/huffman.c | 49 ++++++++++++++++++++---------------
+ MP/code/qcommon/msg.c | 45 +++++++++++++++++++++++++-------
+ MP/code/qcommon/qcommon.h | 6 ++---
+ SP/code/qcommon/huffman.c | 49 ++++++++++++++++++++---------------
+ SP/code/qcommon/msg.c | 65 ++++++++++++++++++++++++++++++++++-------------
+ SP/code/qcommon/qcommon.h | 6 ++---
+ 6 files changed, 145 insertions(+), 75 deletions(-)
+
+diff --git a/MP/code/qcommon/huffman.c b/MP/code/qcommon/huffman.c
+index 00b007e..88b972c 100644
+--- a/MP/code/qcommon/huffman.c
++++ b/MP/code/qcommon/huffman.c
+@@ -36,7 +36,7 @@ If you have questions concerning this license or the applicable additional terms
+
+ static int bloc = 0;
+
+-void Huff_putBit( int bit, byte *fout, int *offset ) {
++void Huff_putBit( int bit, byte *fout, int *offset ) {
+ bloc = *offset;
+ if ( ( bloc & 7 ) == 0 ) {
+ fout[( bloc >> 3 )] = 0;
+@@ -46,17 +46,15 @@ void Huff_putBit( int bit, byte *fout, int *offset ) {
+ *offset = bloc;
+ }
+
+-int Huff_getBloc(void)
+-{
++int Huff_getBloc( void ) {
+ return bloc;
+ }
+
+-void Huff_setBloc(int _bloc)
+-{
++void Huff_setBloc( int _bloc ) {
+ bloc = _bloc;
+ }
+
+-int Huff_getBit( byte *fin, int *offset ) {
++int Huff_getBit( byte *fin, int *offset ) {
+ int t;
+ bloc = *offset;
+ t = ( fin[( bloc >> 3 )] >> ( bloc & 7 ) ) & 0x1;
+@@ -286,9 +284,14 @@ int Huff_Receive( node_t *node, int *ch, byte *fin ) {
+ }
+
+ /* Get a symbol */
+-void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset ) {
++void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset, int maxoffset ) {
+ bloc = *offset;
+ while ( node && node->symbol == INTERNAL_NODE ) {
++ if ( bloc >= maxoffset ) {
++ *ch = 0;
++ *offset = maxoffset + 1;
++ return;
++ }
+ if ( get_bit( fin ) ) {
+ node = node->right;
+ } else {
+@@ -305,11 +308,15 @@ void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset ) {
+ }
+
+ /* Send the prefix code for this node */
+-static void send( node_t *node, node_t *child, byte *fout ) {
++static void send( node_t *node, node_t *child, byte *fout, int maxoffset ) {
+ if ( node->parent ) {
+- send( node->parent, node, fout );
++ send( node->parent, node, fout, maxoffset );
+ }
+ if ( child ) {
++ if ( bloc >= maxoffset ) {
++ bloc = maxoffset + 1;
++ return;
++ }
+ if ( node->right == child ) {
+ add_bit( 1, fout );
+ } else {
+@@ -319,22 +326,22 @@ static void send( node_t *node, node_t *child, byte *fout ) {
+ }
+
+ /* Send a symbol */
+-void Huff_transmit( huff_t *huff, int ch, byte *fout ) {
++void Huff_transmit( huff_t *huff, int ch, byte *fout, int maxoffset ) {
+ int i;
+ if ( huff->loc[ch] == NULL ) {
+ /* node_t hasn't been transmitted, send a NYT, then the symbol */
+- Huff_transmit( huff, NYT, fout );
++ Huff_transmit( huff, NYT, fout, maxoffset );
+ for ( i = 7; i >= 0; i-- ) {
+ add_bit( (char)( ( ch >> i ) & 0x1 ), fout );
+ }
+ } else {
+- send( huff->loc[ch], NULL, fout );
++ send( huff->loc[ch], NULL, fout, maxoffset );
+ }
+ }
+
+-void Huff_offsetTransmit( huff_t *huff, int ch, byte *fout, int *offset ) {
++void Huff_offsetTransmit( huff_t *huff, int ch, byte *fout, int *offset, int maxoffset ) {
+ bloc = *offset;
+- send( huff->loc[ch], NULL, fout );
++ send( huff->loc[ch], NULL, fout, maxoffset );
+ *offset = bloc;
+ }
+
+@@ -374,17 +381,17 @@ void Huff_Decompress( msg_t *mbuf, int offset ) {
+ seq[j] = 0;
+ break;
+ }
+- Huff_Receive( huff.tree, &ch, buffer ); /* Get a character */
+- if ( ch == NYT ) { /* We got a NYT, get the symbol associated with it */
++ Huff_Receive( huff.tree, &ch, buffer ); /* Get a character */
++ if ( ch == NYT ) { /* We got a NYT, get the symbol associated with it */
+ ch = 0;
+ for ( i = 0; i < 8; i++ ) {
+ ch = ( ch << 1 ) + get_bit( buffer );
+ }
+ }
+
+- seq[j] = ch; /* Write symbol */
++ seq[j] = ch; /* Write symbol */
+
+- Huff_addRef( &huff, (byte)ch ); /* Increment node */
++ Huff_addRef( &huff, (byte)ch ); /* Increment node */
+ }
+ mbuf->cursize = cch + offset;
+ Com_Memcpy( mbuf->data + offset, seq, cch );
+@@ -420,11 +427,11 @@ void Huff_Compress( msg_t *mbuf, int offset ) {
+
+ for ( i = 0; i < size; i++ ) {
+ ch = buffer[i];
+- Huff_transmit( &huff, ch, seq ); /* Transmit symbol */
+- Huff_addRef( &huff, (byte)ch ); /* Do update */
++ Huff_transmit( &huff, ch, seq, size << 3 ); /* Transmit symbol */
++ Huff_addRef( &huff, (byte)ch ); /* Do update */
+ }
+
+- bloc += 8; // next byte
++ bloc += 8; // next byte
+
+ mbuf->cursize = ( bloc >> 3 ) + offset;
+ Com_Memcpy( mbuf->data + offset, seq, ( bloc >> 3 ) );
+diff --git a/MP/code/qcommon/msg.c b/MP/code/qcommon/msg.c
+index 56ef5fc..e8a5e7e 100644
+--- a/MP/code/qcommon/msg.c
++++ b/MP/code/qcommon/msg.c
+@@ -114,9 +114,7 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) {
+
+ msg->uncompsize += bits; // NERVE - SMF - net debugging
+
+- // this isn't an exact overflow check, but close enough
+- if ( msg->maxsize - msg->cursize < 4 ) {
+- msg->overflowed = qtrue;
++ if ( msg->overflowed ) {
+ return;
+ }
+
+@@ -128,6 +126,11 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) {
+ bits = -bits;
+ }
+ if ( msg->oob ) {
++ if ( msg->cursize + ( bits >> 3 ) > msg->maxsize ) {
++ msg->overflowed = qtrue;
++ return;
++ }
++
+ if ( bits == 8 ) {
+ msg->data[msg->cursize] = value;
+ msg->cursize += 1;
+@@ -150,6 +153,10 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) {
+ if ( bits & 7 ) {
+ int nbits;
+ nbits = bits & 7;
++ if ( msg->bit + nbits > msg->maxsize << 3 ) {
++ msg->overflowed = qtrue;
++ return;
++ }
+ for ( i = 0; i < nbits; i++ ) {
+ Huff_putBit( ( value & 1 ), msg->data, &msg->bit );
+ value = ( value >> 1 );
+@@ -158,8 +165,13 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) {
+ }
+ if ( bits ) {
+ for ( i = 0; i < bits; i += 8 ) {
+- Huff_offsetTransmit( &msgHuff.compressor, ( value & 0xff ), msg->data, &msg->bit );
++ Huff_offsetTransmit( &msgHuff.compressor, ( value & 0xff ), msg->data, &msg->bit, msg->maxsize << 3 );
+ value = ( value >> 8 );
++
++ if ( msg->bit > msg->maxsize << 3 ) {
++ msg->overflowed = qtrue;
++ return;
++ }
+ }
+ }
+ msg->cursize = ( msg->bit >> 3 ) + 1;
+@@ -173,6 +185,10 @@ int MSG_ReadBits( msg_t *msg, int bits ) {
+ int i, nbits;
+ // FILE* fp;
+
++ if ( msg->readcount > msg->cursize ) {
++ return 0;
++ }
++
+ value = 0;
+
+ if ( bits < 0 ) {
+@@ -183,6 +199,11 @@ int MSG_ReadBits( msg_t *msg, int bits ) {
+ }
+
+ if ( msg->oob ) {
++ if ( msg->readcount + ( bits >> 3 ) > msg->cursize ) {
++ msg->readcount = msg->cursize + 1;
++ return 0;
++ }
++
+ if ( bits == 8 ) {
+ value = msg->data[msg->readcount];
+ msg->readcount += 1;
+@@ -205,6 +226,10 @@ int MSG_ReadBits( msg_t *msg, int bits ) {
+ nbits = 0;
+ if ( bits & 7 ) {
+ nbits = bits & 7;
++ if ( msg->bit + nbits > msg->cursize << 3 ) {
++ msg->readcount = msg->cursize + 1;
++ return 0;
++ }
+ for ( i = 0; i < nbits; i++ ) {
+ value |= ( Huff_getBit( msg->data, &msg->bit ) << i );
+ }
+@@ -213,9 +238,14 @@ int MSG_ReadBits( msg_t *msg, int bits ) {
+ if ( bits ) {
+ // fp = fopen("c:\\netchan.bin", "a");
+ for ( i = 0; i < bits; i += 8 ) {
+- Huff_offsetReceive( msgHuff.decompressor.tree, &get, msg->data, &msg->bit );
++ Huff_offsetReceive( msgHuff.decompressor.tree, &get, msg->data, &msg->bit, msg->cursize << 3 );
+ // fwrite(&get, 1, 1, fp);
+ value |= ( get << ( i + nbits ) );
++
++ if ( msg->bit > msg->cursize << 3 ) {
++ msg->readcount = msg->cursize + 1;
++ return 0;
++ }
+ }
+ // fclose(fp);
+ }
+@@ -280,8 +310,8 @@ void MSG_WriteLong( msg_t *sb, int c ) {
+ }
+
+ void MSG_WriteFloat( msg_t *sb, float f ) {
+-
+ floatint_t dat;
++
+ dat.f = f;
+ MSG_WriteBits( sb, dat.i, 32 );
+ }
+@@ -409,7 +439,6 @@ int MSG_ReadLong( msg_t *msg ) {
+ }
+
+ float MSG_ReadFloat( msg_t *msg ) {
+-
+ floatint_t dat;
+
+ dat.i = MSG_ReadBits( msg, 32 );
+@@ -462,7 +491,6 @@ char *MSG_ReadBigString( msg_t *msg ) {
+ if ( c == '%' ) {
+ c = '.';
+ }
+-
+ // don't allow higher ascii values
+ if ( c > 127 ) {
+ c = '.';
+@@ -491,7 +519,6 @@ char *MSG_ReadStringLine( msg_t *msg ) {
+ if ( c == '%' ) {
+ c = '.';
+ }
+-
+ // don't allow higher ascii values
+ if ( c > 127 ) {
+ c = '.';
+diff --git a/MP/code/qcommon/qcommon.h b/MP/code/qcommon/qcommon.h
+index 1f23d0f..02ef8e8 100644
+--- a/MP/code/qcommon/qcommon.h
++++ b/MP/code/qcommon/qcommon.h
+@@ -1327,9 +1327,9 @@ void Huff_Decompress( msg_t *buf, int offset );
+ void Huff_Init( huffman_t *huff );
+ void Huff_addRef( huff_t* huff, byte ch );
+ int Huff_Receive( node_t *node, int *ch, byte *fin );
+-void Huff_transmit( huff_t *huff, int ch, byte *fout );
+-void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset );
+-void Huff_offsetTransmit( huff_t *huff, int ch, byte *fout, int *offset );
++void Huff_transmit( huff_t *huff, int ch, byte *fout, int maxoffset );
++void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset, int maxoffset );
++void Huff_offsetTransmit( huff_t *huff, int ch, byte *fout, int *offset, int maxoffset );
+ void Huff_putBit( int bit, byte *fout, int *offset );
+ int Huff_getBit( byte *fout, int *offset );
+
+diff --git a/SP/code/qcommon/huffman.c b/SP/code/qcommon/huffman.c
+index 00b007e..88b972c 100644
+--- a/SP/code/qcommon/huffman.c
++++ b/SP/code/qcommon/huffman.c
+@@ -36,7 +36,7 @@ If you have questions concerning this license or the applicable additional terms
+
+ static int bloc = 0;
+
+-void Huff_putBit( int bit, byte *fout, int *offset ) {
++void Huff_putBit( int bit, byte *fout, int *offset ) {
+ bloc = *offset;
+ if ( ( bloc & 7 ) == 0 ) {
+ fout[( bloc >> 3 )] = 0;
+@@ -46,17 +46,15 @@ void Huff_putBit( int bit, byte *fout, int *offset ) {
+ *offset = bloc;
+ }
+
+-int Huff_getBloc(void)
+-{
++int Huff_getBloc( void ) {
+ return bloc;
+ }
+
+-void Huff_setBloc(int _bloc)
+-{
++void Huff_setBloc( int _bloc ) {
+ bloc = _bloc;
+ }
+
+-int Huff_getBit( byte *fin, int *offset ) {
++int Huff_getBit( byte *fin, int *offset ) {
+ int t;
+ bloc = *offset;
+ t = ( fin[( bloc >> 3 )] >> ( bloc & 7 ) ) & 0x1;
+@@ -286,9 +284,14 @@ int Huff_Receive( node_t *node, int *ch, byte *fin ) {
+ }
+
+ /* Get a symbol */
+-void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset ) {
++void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset, int maxoffset ) {
+ bloc = *offset;
+ while ( node && node->symbol == INTERNAL_NODE ) {
++ if ( bloc >= maxoffset ) {
++ *ch = 0;
++ *offset = maxoffset + 1;
++ return;
++ }
+ if ( get_bit( fin ) ) {
+ node = node->right;
+ } else {
+@@ -305,11 +308,15 @@ void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset ) {
+ }
+
+ /* Send the prefix code for this node */
+-static void send( node_t *node, node_t *child, byte *fout ) {
++static void send( node_t *node, node_t *child, byte *fout, int maxoffset ) {
+ if ( node->parent ) {
+- send( node->parent, node, fout );
++ send( node->parent, node, fout, maxoffset );
+ }
+ if ( child ) {
++ if ( bloc >= maxoffset ) {
++ bloc = maxoffset + 1;
++ return;
++ }
+ if ( node->right == child ) {
+ add_bit( 1, fout );
+ } else {
+@@ -319,22 +326,22 @@ static void send( node_t *node, node_t *child, byte *fout ) {
+ }
+
+ /* Send a symbol */
+-void Huff_transmit( huff_t *huff, int ch, byte *fout ) {
++void Huff_transmit( huff_t *huff, int ch, byte *fout, int maxoffset ) {
+ int i;
+ if ( huff->loc[ch] == NULL ) {
+ /* node_t hasn't been transmitted, send a NYT, then the symbol */
+- Huff_transmit( huff, NYT, fout );
++ Huff_transmit( huff, NYT, fout, maxoffset );
+ for ( i = 7; i >= 0; i-- ) {
+ add_bit( (char)( ( ch >> i ) & 0x1 ), fout );
+ }
+ } else {
+- send( huff->loc[ch], NULL, fout );
++ send( huff->loc[ch], NULL, fout, maxoffset );
+ }
+ }
+
+-void Huff_offsetTransmit( huff_t *huff, int ch, byte *fout, int *offset ) {
++void Huff_offsetTransmit( huff_t *huff, int ch, byte *fout, int *offset, int maxoffset ) {
+ bloc = *offset;
+- send( huff->loc[ch], NULL, fout );
++ send( huff->loc[ch], NULL, fout, maxoffset );
+ *offset = bloc;
+ }
+
+@@ -374,17 +381,17 @@ void Huff_Decompress( msg_t *mbuf, int offset ) {
+ seq[j] = 0;
+ break;
+ }
+- Huff_Receive( huff.tree, &ch, buffer ); /* Get a character */
+- if ( ch == NYT ) { /* We got a NYT, get the symbol associated with it */
++ Huff_Receive( huff.tree, &ch, buffer ); /* Get a character */
++ if ( ch == NYT ) { /* We got a NYT, get the symbol associated with it */
+ ch = 0;
+ for ( i = 0; i < 8; i++ ) {
+ ch = ( ch << 1 ) + get_bit( buffer );
+ }
+ }
+
+- seq[j] = ch; /* Write symbol */
++ seq[j] = ch; /* Write symbol */
+
+- Huff_addRef( &huff, (byte)ch ); /* Increment node */
++ Huff_addRef( &huff, (byte)ch ); /* Increment node */
+ }
+ mbuf->cursize = cch + offset;
+ Com_Memcpy( mbuf->data + offset, seq, cch );
+@@ -420,11 +427,11 @@ void Huff_Compress( msg_t *mbuf, int offset ) {
+
+ for ( i = 0; i < size; i++ ) {
+ ch = buffer[i];
+- Huff_transmit( &huff, ch, seq ); /* Transmit symbol */
+- Huff_addRef( &huff, (byte)ch ); /* Do update */
++ Huff_transmit( &huff, ch, seq, size << 3 ); /* Transmit symbol */
++ Huff_addRef( &huff, (byte)ch ); /* Do update */
+ }
+
+- bloc += 8; // next byte
++ bloc += 8; // next byte
+
+ mbuf->cursize = ( bloc >> 3 ) + offset;
+ Com_Memcpy( mbuf->data + offset, seq, ( bloc >> 3 ) );
+diff --git a/SP/code/qcommon/msg.c b/SP/code/qcommon/msg.c
+index 350cfd0..f88e88c 100644
+--- a/SP/code/qcommon/msg.c
++++ b/SP/code/qcommon/msg.c
+@@ -87,14 +87,13 @@ void MSG_BeginReadingOOB( msg_t *msg ) {
+ msg->oob = qtrue;
+ }
+
+-void MSG_Copy(msg_t *buf, byte *data, int length, msg_t *src)
+-{
+- if (length<src->cursize) {
+- Com_Error( ERR_DROP, "MSG_Copy: can't copy into a smaller msg_t buffer");
++void MSG_Copy( msg_t *buf, byte *data, int length, msg_t *src ) {
++ if ( length < src->cursize ) {
++ Com_Error( ERR_DROP, "MSG_Copy: can't copy into a smaller msg_t buffer" );
+ }
+- Com_Memcpy(buf, src, sizeof(msg_t));
++ Com_Memcpy( buf, src, sizeof( msg_t ) );
+ buf->data = data;
+- Com_Memcpy(buf->data, src->data, src->cursize);
++ Com_Memcpy( buf->data, src->data, src->cursize );
+ }
+
+ /*
+@@ -111,9 +110,8 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) {
+
+ oldsize += bits;
+
+- // this isn't an exact overflow check, but close enough
+- if ( msg->maxsize - msg->cursize < 4 ) {
+- msg->overflowed = qtrue;
++
++ if ( msg->overflowed ) {
+ return;
+ }
+
+@@ -125,13 +123,18 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) {
+ bits = -bits;
+ }
+ if ( msg->oob ) {
++ if ( msg->cursize + ( bits >> 3 ) > msg->maxsize ) {
++ msg->overflowed = qtrue;
++ return;
++ }
++
+ if ( bits == 8 ) {
+ msg->data[msg->cursize] = value;
+ msg->cursize += 1;
+ msg->bit += 8;
+ } else if ( bits == 16 ) {
+ short temp = value;
+-
++
+ CopyLittleShort(&msg->data[msg->cursize], &temp);
+ msg->cursize += 2;
+ msg->bit += 16;
+@@ -147,6 +150,10 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) {
+ if ( bits & 7 ) {
+ int nbits;
+ nbits = bits & 7;
++ if ( msg->bit + nbits > msg->maxsize << 3 ) {
++ msg->overflowed = qtrue;
++ return;
++ }
+ for ( i = 0; i < nbits; i++ ) {
+ Huff_putBit( ( value & 1 ), msg->data, &msg->bit );
+ value = ( value >> 1 );
+@@ -155,8 +162,13 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) {
+ }
+ if ( bits ) {
+ for ( i = 0; i < bits; i += 8 ) {
+- Huff_offsetTransmit( &msgHuff.compressor, ( value & 0xff ), msg->data, &msg->bit );
++ Huff_offsetTransmit( &msgHuff.compressor, ( value & 0xff ), msg->data, &msg->bit, msg->maxsize << 3 );
+ value = ( value >> 8 );
++
++ if ( msg->bit > msg->maxsize << 3 ) {
++ msg->overflowed = qtrue;
++ return;
++ }
+ }
+ }
+ msg->cursize = ( msg->bit >> 3 ) + 1;
+@@ -170,6 +182,10 @@ int MSG_ReadBits( msg_t *msg, int bits ) {
+ int i, nbits;
+ // FILE* fp;
+
++ if ( msg->readcount > msg->cursize ) {
++ return 0;
++ }
++
+ value = 0;
+
+ if ( bits < 0 ) {
+@@ -180,6 +196,11 @@ int MSG_ReadBits( msg_t *msg, int bits ) {
+ }
+
+ if ( msg->oob ) {
++ if ( msg->readcount + ( bits >> 3 ) > msg->cursize ) {
++ msg->readcount = msg->cursize + 1;
++ return 0;
++ }
++
+ if ( bits == 8 ) {
+ value = msg->data[msg->readcount];
+ msg->readcount += 1;
+@@ -202,6 +223,10 @@ int MSG_ReadBits( msg_t *msg, int bits ) {
+ nbits = 0;
+ if ( bits & 7 ) {
+ nbits = bits & 7;
++ if ( msg->bit + nbits > msg->cursize << 3 ) {
++ msg->readcount = msg->cursize + 1;
++ return 0;
++ }
+ for ( i = 0; i < nbits; i++ ) {
+ value |= ( Huff_getBit( msg->data, &msg->bit ) << i );
+ }
+@@ -210,9 +235,14 @@ int MSG_ReadBits( msg_t *msg, int bits ) {
+ if ( bits ) {
+ // fp = fopen("c:\\netchan.bin", "a");
+ for ( i = 0; i < bits; i += 8 ) {
+- Huff_offsetReceive( msgHuff.decompressor.tree, &get, msg->data, &msg->bit );
++ Huff_offsetReceive( msgHuff.decompressor.tree, &get, msg->data, &msg->bit, msg->cursize << 3 );
+ // fwrite(&get, 1, 1, fp);
+ value |= ( get << ( i + nbits ) );
++
++ if ( msg->bit > msg->cursize << 3 ) {
++ msg->readcount = msg->cursize + 1;
++ return 0;
++ }
+ }
+ // fclose(fp);
+ }
+@@ -607,7 +637,7 @@ void MSG_WriteDeltaKey( msg_t *msg, int key, int oldV, int newV, int bits ) {
+
+ int MSG_ReadDeltaKey( msg_t *msg, int key, int oldV, int bits ) {
+ if ( MSG_ReadBits( msg, 1 ) ) {
+- return MSG_ReadBits( msg, bits ) ^ ( key & kbitmask[bits - 1] );
++ return MSG_ReadBits( msg, bits ) ^ ( key & kbitmask[ bits - 1 ] );
+ }
+ return oldV;
+ }
+@@ -643,9 +673,9 @@ usercmd_t communication
+ */
+
+ /*
+-=====================
++========================
+ MSG_WriteDeltaUsercmdKey
+-=====================
++========================
+ */
+ void MSG_WriteDeltaUsercmdKey( msg_t *msg, int key, usercmd_t *from, usercmd_t *to ) {
+ if ( to->serverTime - from->serverTime < 256 ) {
+@@ -690,9 +720,9 @@ void MSG_WriteDeltaUsercmdKey( msg_t *msg, int key, usercmd_t *from, usercmd_t *
+
+
+ /*
+-=====================
++=======================
+ MSG_ReadDeltaUsercmdKey
+-=====================
++=======================
+ */
+ void MSG_ReadDeltaUsercmdKey( msg_t *msg, int key, usercmd_t *from, usercmd_t *to ) {
+ if ( MSG_ReadBits( msg, 1 ) ) {
+@@ -896,7 +926,6 @@ void MSG_ReportChangeVectors_f( void ) {
+ #endif
+ }
+
+-
+ typedef struct {
+ char *name;
+ int offset;
+diff --git a/SP/code/qcommon/qcommon.h b/SP/code/qcommon/qcommon.h
+index f424036..e481bd2 100644
+--- a/SP/code/qcommon/qcommon.h
++++ b/SP/code/qcommon/qcommon.h
+@@ -1241,9 +1241,9 @@ void Huff_Decompress( msg_t *buf, int offset );
+ void Huff_Init( huffman_t *huff );
+ void Huff_addRef( huff_t* huff, byte ch );
+ int Huff_Receive( node_t *node, int *ch, byte *fin );
+-void Huff_transmit( huff_t *huff, int ch, byte *fout );
+-void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset );
+-void Huff_offsetTransmit( huff_t *huff, int ch, byte *fout, int *offset );
++void Huff_transmit( huff_t *huff, int ch, byte *fout, int maxoffset );
++void Huff_offsetReceive( node_t *node, int *ch, byte *fin, int *offset, int maxoffset );
++void Huff_offsetTransmit( huff_t *huff, int ch, byte *fout, int *offset, int maxoffset );
+ void Huff_putBit( int bit, byte *fout, int *offset );
+ int Huff_getBit( byte *fout, int *offset );
+
diff --git a/debian/patches/series b/debian/patches/series
index fdea571..9ec252e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,6 +2,7 @@ security/All-Don-t-load-.pk3s-as-.dlls-and-don-t-load-user-config-.patch
security/All-Don-t-open-.pk3-files-as-OpenAL-drivers.patch
security/All-Merge-some-file-writing-extension-checks.patch
Don-t-require-.git-index-to-exist.patch
+security/All-Fix-improve-buffer-overflow-in-MSG_ReadBits-MSG_Write.patch
debian/Disable-client-side-auto-download-by-default.patch
debian/File-access-methods-prevent-overwriting-DLLs-CVE-201.patch
debian/Remove-support-for-downloading-executable-updates.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/iortcw.git
More information about the Pkg-games-commits
mailing list