[quake3] R_RemapShader buffer overflow fixed

Thilo Schulz arny at ats.s.bawue.de
Fri May 5 22:16:17 EDT 2006


On Saturday 06 May 2006 04:03, Thilo Schulz wrote:
> Someone with
> normal i386 may want to double check, I'm going to bed now...

Ah.. almost forgot to write what the bug was:
The COM_StripExtension routine used by both, VMs and engine will chop off the 
filename extension and copy the input string in its entirety to the output 
buffer. It doesn't check the length of the buffer though so the out buffer 
can be easily overflowed..
The irony is that remapShader command from the server falls under the category 
"a feature long forgotton, never really used and opening the way to 
exploits"..  it is totally screwed up because in cg_servercmds.c it uses 
CG_Argv() for all three arguments to the trap_R_RemapShader call which is a 
bit daft if you consider that each call CG_Argv() returns a pointer to the 
same static buffer which results in the function R_RemapShader being called 
with all three arguments being the same.

-- 
Thilo Schulz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://icculus.org/pipermail/quake3/attachments/20060506/5e1b4805/attachment.pgp>


More information about the quake3 mailing list