[Bug 3330] New: Memory write passed the end of allocated array
bugzilla-daemon at icculus.org
bugzilla-daemon at icculus.org
Tue Aug 28 03:06:40 EDT 2007
http://bugzilla.icculus.org/show_bug.cgi?id=3330
Summary: Memory write passed the end of allocated array
Product: Quake 3
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: Misc
AssignedTo: zakk at icculus.org
ReportedBy: info at dbwatersports.com
QAContact: quake3-bugzilla at icculus.org
In code/q3_ui/ui_startserver.c, there are 2 members in the startserver_t struct
that are defined as arrays:
char maplist[MAX_SERVERMAPS][MAX_NAMELENGTH]
int mapGamebits[MAX_SERVERMAPS]
MAX_SERVERMAPS is defined as 64.
The function StartServer_GametypeEvent(), loops through the list of loaded
arenas (a maximum of 1024 arenas can be loaded) and matches the selected
gametype with the gametype(s) defined for the map. If there is a match, the
current map is added to the maplist array and the gamebits are stored in the
corresponding mapGamebits array.
The problem is that there is no check to see if the array limit has been
reached. The current code just keeps on incrementing the count and writing
away. Depending on the number of maps that match the gametype, this could
overwrite quite a bit of memory. I probably don't have to elaborate as to the
potential repercussions of this.
Most people don't have that many maps, so this is not a huge problem. But, I
stumbled across it because some friends put together a mappack of 100 maps...
I have attached a .diff file with the fix for this problem.
--
Configure bugmail: http://bugzilla.icculus.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the quake3-bugzilla
mailing list