r765 - in trunk/code: cgame client q3_ui qcommon renderer ui

DONOTREPLY at icculus.org DONOTREPLY at icculus.org
Fri May 5 21:56:25 EDT 2006


Author: thilo
Date: 2006-05-05 21:56:24 -0400 (Fri, 05 May 2006)
New Revision: 765

Modified:
   trunk/code/cgame/cg_weapons.c
   trunk/code/client/cl_main.c
   trunk/code/q3_ui/ui_playermodel.c
   trunk/code/q3_ui/ui_players.c
   trunk/code/q3_ui/ui_saveconfig.c
   trunk/code/qcommon/files.c
   trunk/code/qcommon/q_shared.c
   trunk/code/qcommon/q_shared.h
   trunk/code/qcommon/vm.c
   trunk/code/renderer/tr_bsp.c
   trunk/code/renderer/tr_shader.c
   trunk/code/ui/ui_main.c
   trunk/code/ui/ui_players.c
Log:
Add string length checking to function COM_StripExtension. This fixes the R_RemapShader buffer overflow exploit that can be found here:
http://milw0rm.com/exploits/1750


Modified: trunk/code/cgame/cg_weapons.c
===================================================================
--- trunk/code/cgame/cg_weapons.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/cgame/cg_weapons.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -656,17 +656,17 @@
 	}
 
 	strcpy( path, item->world_model[0] );
-	COM_StripExtension( path, path );
+	COM_StripExtension(path, path, sizeof(path));
 	strcat( path, "_flash.md3" );
 	weaponInfo->flashModel = trap_R_RegisterModel( path );
 
 	strcpy( path, item->world_model[0] );
-	COM_StripExtension( path, path );
+	COM_StripExtension(path, path, sizeof(path));
 	strcat( path, "_barrel.md3" );
 	weaponInfo->barrelModel = trap_R_RegisterModel( path );
 
 	strcpy( path, item->world_model[0] );
-	COM_StripExtension( path, path );
+	COM_StripExtension(path, path, sizeof(path));
 	strcat( path, "_hand.md3" );
 	weaponInfo->handsModel = trap_R_RegisterModel( path );
 

Modified: trunk/code/client/cl_main.c
===================================================================
--- trunk/code/client/cl_main.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/client/cl_main.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -2066,7 +2066,7 @@
 			}
 
 			Q_strncpyz( mapName, COM_SkipPath( cl.mapname ), sizeof( cl.mapname ) );
-			COM_StripExtension( mapName, mapName );
+			COM_StripExtension(mapName, mapName, sizeof(mapName));
 
 			Cbuf_ExecuteText( EXEC_NOW,
 					va( "record %s-%s-%s", nowString, serverName, mapName ) );

Modified: trunk/code/q3_ui/ui_playermodel.c
===================================================================
--- trunk/code/q3_ui/ui_playermodel.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/q3_ui/ui_playermodel.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -391,7 +391,7 @@
 	int		numfiles;
 	char	dirlist[2048];
 	char	filelist[2048];
-	char	skinname[64];
+	char	skinname[MAX_QPATH];
 	char*	dirptr;
 	char*	fileptr;
 	int		i;
@@ -424,7 +424,7 @@
 		{
 			filelen = strlen(fileptr);
 
-			COM_StripExtension(fileptr,skinname);
+			COM_StripExtension(fileptr,skinname, sizeof(skinname));
 
 			// look for icon_????
 			if (!Q_stricmpn(skinname,"icon_",5))

Modified: trunk/code/q3_ui/ui_players.c
===================================================================
--- trunk/code/q3_ui/ui_players.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/q3_ui/ui_players.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -89,13 +89,13 @@
 
 	if ( weaponNum == WP_MACHINEGUN || weaponNum == WP_GAUNTLET || weaponNum == WP_BFG ) {
 		strcpy( path, item->world_model[0] );
-		COM_StripExtension( path, path );
+		COM_StripExtension( path, path, sizeof(path) );
 		strcat( path, "_barrel.md3" );
 		pi->barrelModel = trap_R_RegisterModel( path );
 	}
 
 	strcpy( path, item->world_model[0] );
-	COM_StripExtension( path, path );
+	COM_StripExtension( path, path, sizeof(path) );
 	strcat( path, "_flash.md3" );
 	pi->flashModel = trap_R_RegisterModel( path );
 

Modified: trunk/code/q3_ui/ui_saveconfig.c
===================================================================
--- trunk/code/q3_ui/ui_saveconfig.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/q3_ui/ui_saveconfig.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -85,7 +85,7 @@
 		return;
 	}
 
-	COM_StripExtension(saveConfig.savename.field.buffer, configname );
+	COM_StripExtension(saveConfig.savename.field.buffer, configname, sizeof(configname));
 	trap_Cmd_ExecuteText( EXEC_APPEND, va( "writeconfig %s.cfg\n", configname ) );
 	UI_PopMenu();
 }

Modified: trunk/code/qcommon/files.c
===================================================================
--- trunk/code/qcommon/files.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/qcommon/files.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -3451,7 +3451,7 @@
 		Q_strncpyz( filename, filenames[ i ], MAX_STRING_CHARS );
 
 		if( stripExt ) {
-			COM_StripExtension( filename, filename );
+			COM_StripExtension(filename, filename, sizeof(filename));
 		}
 
 		callback( filename );

Modified: trunk/code/qcommon/q_shared.c
===================================================================
--- trunk/code/qcommon/q_shared.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/qcommon/q_shared.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -58,10 +58,10 @@
 COM_StripExtension
 ============
 */
-void COM_StripExtension( const char *in, char *out ) {
+void COM_StripExtension( const char *in, char *out, int destsize ) {
 	int             length;
 
-	strcpy( out, in );
+	Q_strncpyz(out, in, destsize);
 
 	length = strlen(out)-1;
 	while (length > 0 && out[length] != '.')

Modified: trunk/code/qcommon/q_shared.h
===================================================================
--- trunk/code/qcommon/q_shared.h	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/qcommon/q_shared.h	2006-05-06 01:56:24 UTC (rev 765)
@@ -588,7 +588,7 @@
 float Com_Clamp( float min, float max, float value );
 
 char	*COM_SkipPath( char *pathname );
-void	COM_StripExtension( const char *in, char *out );
+void	COM_StripExtension(const char *in, char *out, int destsize);
 void	COM_DefaultExtension( char *path, int maxSize, const char *extension );
 
 void	COM_BeginParseSession( const char *name );

Modified: trunk/code/qcommon/vm.c
===================================================================
--- trunk/code/qcommon/vm.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/qcommon/vm.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -230,7 +230,7 @@
 		return;
 	}
 
-	COM_StripExtension( vm->name, name );
+	COM_StripExtension(vm->name, name, sizeof(name));
 	Com_sprintf( symbols, sizeof( symbols ), "vm/%s.map", name );
 	len = FS_ReadFile( symbols, (void **)&mapfile );
 	if ( !mapfile ) {

Modified: trunk/code/renderer/tr_bsp.c
===================================================================
--- trunk/code/renderer/tr_bsp.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/renderer/tr_bsp.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -1823,7 +1823,7 @@
 	Q_strncpyz( s_worldData.name, name, sizeof( s_worldData.name ) );
 
 	Q_strncpyz( s_worldData.baseName, COM_SkipPath( s_worldData.name ), sizeof( s_worldData.name ) );
-	COM_StripExtension( s_worldData.baseName, s_worldData.baseName );
+	COM_StripExtension(s_worldData.baseName, s_worldData.baseName, sizeof(s_worldData.baseName));
 
 	startMarker = ri.Hunk_Alloc(0, h_low);
 	c_gridVerts = 0;

Modified: trunk/code/renderer/tr_shader.c
===================================================================
--- trunk/code/renderer/tr_shader.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/renderer/tr_shader.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -95,7 +95,7 @@
 
 	// remap all the shaders with the given name
 	// even tho they might have different lightmaps
-	COM_StripExtension( shaderName, strippedName );
+	COM_StripExtension(shaderName, strippedName, sizeof(strippedName));
 	hash = generateHashValue(strippedName, FILE_HASH_SIZE);
 	for (sh = hashTable[hash]; sh; sh = sh->next) {
 		if (Q_stricmp(sh->name, strippedName) == 0) {
@@ -2365,7 +2365,7 @@
 		return tr.defaultShader;
 	}
 
-	COM_StripExtension( name, strippedName );
+	COM_StripExtension(name, strippedName, sizeof(strippedName));
 
 	hash = generateHashValue(strippedName, FILE_HASH_SIZE);
 
@@ -2433,7 +2433,7 @@
 		lightmapIndex = LIGHTMAP_BY_VERTEX;
 	}
 
-	COM_StripExtension( name, strippedName );
+	COM_StripExtension(name, strippedName, sizeof(strippedName));
 
 	hash = generateHashValue(strippedName, FILE_HASH_SIZE);
 

Modified: trunk/code/ui/ui_main.c
===================================================================
--- trunk/code/ui/ui_main.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/ui/ui_main.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -4958,7 +4958,7 @@
 	int		numfiles;
 	char	dirlist[2048];
 	char	filelist[2048];
-	char	skinname[64];
+	char	skinname[MAX_QPATH];
 	char	scratch[256];
 	char*	dirptr;
 	char*	fileptr;
@@ -4988,7 +4988,7 @@
 		{
 			filelen = strlen(fileptr);
 
-			COM_StripExtension(fileptr,skinname);
+			COM_StripExtension(fileptr, skinname, sizeof(skinname));
 
 			// look for icon_????
 			if (Q_stricmpn(skinname, "icon_", 5) == 0 && !(Q_stricmp(skinname,"icon_blue") == 0 || Q_stricmp(skinname,"icon_red") == 0))

Modified: trunk/code/ui/ui_players.c
===================================================================
--- trunk/code/ui/ui_players.c	2006-05-06 00:39:35 UTC (rev 764)
+++ trunk/code/ui/ui_players.c	2006-05-06 01:56:24 UTC (rev 765)
@@ -90,13 +90,13 @@
 
 	if ( weaponNum == WP_MACHINEGUN || weaponNum == WP_GAUNTLET || weaponNum == WP_BFG ) {
 		strcpy( path, item->world_model[0] );
-		COM_StripExtension( path, path );
+		COM_StripExtension(path, path, sizeof(path));
 		strcat( path, "_barrel.md3" );
 		pi->barrelModel = trap_R_RegisterModel( path );
 	}
 
 	strcpy( path, item->world_model[0] );
-	COM_StripExtension( path, path );
+	COM_StripExtension(path, path, sizeof(path));
 	strcat( path, "_flash.md3" );
 	pi->flashModel = trap_R_RegisterModel( path );
 




More information about the quake3-commits mailing list