Skip to content

Commit

Permalink
fix buffer overflow in progs global string functions
Browse files Browse the repository at this point in the history
Using v1.06 `progs.dat`, the following code causes buffer overflow as string value it references is long enough to fill entire `line` variable

```c
PR_PrintStatement(&pr_statements[5821]);
```
  • Loading branch information
alexey-lysiuk committed Dec 25, 2023
1 parent 9785099 commit f20e894
Showing 1 changed file with 12 additions and 2 deletions.
14 changes: 12 additions & 2 deletions Quake/pr_edict.c
Original file line number Diff line number Diff line change
Expand Up @@ -418,6 +418,7 @@ const char *PR_GlobalString (int ofs)
static char line[512];
const char *s;
int i;
static const int lastchari = Q_COUNTOF(line) - 2;
ddef_t *def;
void *val;

Expand All @@ -434,7 +435,11 @@ const char *PR_GlobalString (int ofs)
i = strlen(line);
for ( ; i < 20; i++)
strcat (line, " ");
strcat (line, " ");

if (i < lastchari)
strcat (line, " ");
else
line[lastchari] = ' ';

return line;
}
Expand All @@ -443,6 +448,7 @@ const char *PR_GlobalStringNoContents (int ofs)
{
static char line[512];
int i;
static const int lastchari = Q_COUNTOF(line) - 2;
ddef_t *def;

def = ED_GlobalAtOfs(ofs);
Expand All @@ -454,7 +460,11 @@ const char *PR_GlobalStringNoContents (int ofs)
i = strlen(line);
for ( ; i < 20; i++)
strcat (line, " ");
strcat (line, " ");

if (i < lastchari)
strcat (line, " ");
else
line[lastchari] = ' ';

return line;
}
Expand Down

0 comments on commit f20e894

Please sign in to comment.