From f20e894b493338bc5d3e69e4b14d3ba1f7f18985 Mon Sep 17 00:00:00 2001 From: "alexey.lysiuk" Date: Mon, 25 Dec 2023 13:57:31 +0200 Subject: [PATCH] fix buffer overflow in progs global string functions Using v1.06 `progs.dat`, the following code causes buffer overflow as string value it references is long enough to fill entire `line` variable ```c PR_PrintStatement(&pr_statements[5821]); ``` --- Quake/pr_edict.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/Quake/pr_edict.c b/Quake/pr_edict.c index ba14d143c..2f4e591b6 100644 --- a/Quake/pr_edict.c +++ b/Quake/pr_edict.c @@ -418,6 +418,7 @@ const char *PR_GlobalString (int ofs) static char line[512]; const char *s; int i; + static const int lastchari = Q_COUNTOF(line) - 2; ddef_t *def; void *val; @@ -434,7 +435,11 @@ const char *PR_GlobalString (int ofs) i = strlen(line); for ( ; i < 20; i++) strcat (line, " "); - strcat (line, " "); + + if (i < lastchari) + strcat (line, " "); + else + line[lastchari] = ' '; return line; } @@ -443,6 +448,7 @@ const char *PR_GlobalStringNoContents (int ofs) { static char line[512]; int i; + static const int lastchari = Q_COUNTOF(line) - 2; ddef_t *def; def = ED_GlobalAtOfs(ofs); @@ -454,7 +460,11 @@ const char *PR_GlobalStringNoContents (int ofs) i = strlen(line); for ( ; i < 20; i++) strcat (line, " "); - strcat (line, " "); + + if (i < lastchari) + strcat (line, " "); + else + line[lastchari] = ' '; return line; }