[Bug 3330] New: Memory write passed the end of allocated array

[bugzilla-daemon at icculus.org]

http://bugzilla.icculus.org/show_bug.cgi?id=3330

           Summary: Memory write passed the end of allocated array
           Product: Quake 3
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Misc
        AssignedTo: zakk at icculus.org
        ReportedBy: info at dbwatersports.com
         QAContact: quake3-bugzilla at icculus.org


In code/q3_ui/ui_startserver.c, there are 2 members in the startserver_t struct
that are defined as arrays:

char maplist[MAX_SERVERMAPS][MAX_NAMELENGTH] 
int mapGamebits[MAX_SERVERMAPS]

MAX_SERVERMAPS is defined as 64.

The function StartServer_GametypeEvent(), loops through the list of loaded
arenas (a maximum of 1024 arenas can be loaded) and matches the selected
gametype with the gametype(s) defined for the map. If there is a match, the
current map is added to the maplist array and the gamebits are stored in the
corresponding mapGamebits array.

The problem is that there is no check to see if the array limit has been
reached. The current code just keeps on incrementing the count and writing
away. Depending on the number of maps that match the gametype, this could
overwrite quite a bit of memory.  I probably don't have to elaborate as to the
potential repercussions of this.

Most people don't have that many maps, so this is not a huge problem. But, I
stumbled across it because some friends put together a mappack of 100 maps...

I have attached a .diff file with the fix for this problem.


-- 
Configure bugmail: http://bugzilla.icculus.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.