]> git.rm.cloudns.org Git - xonotic/darkplaces.git/commitdiff
projects / xonotic / darkplaces.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 895325d)
Fix an useless NULL check, and a very funny overrun.
authordivverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Mon, 9 Feb 2015 08:54:46 +0000 (08:54 +0000)
committerdivverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Mon, 9 Feb 2015 08:54:46 +0000 (08:54 +0000)
The overrun is in initialization of command line arguments, and thus not
exploitable.

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@12160 d7cf8633-e32d-0410-b094-e92efae38249

common.c patch | blob | history

diff --git a/common.c b/common.c
index 667f99c6bbe887ca940a568f632663c81dcbf198..66b7895a2118c2550dabc8f3bef9e77cfb8b1a99 100644 (file)
--- a/common.c
+++ b/common.c
@@ -1619,13 +1619,22 @@ void COM_Init_Commands (void)
                if (strstr(com_argv[j], " "))
                {
                        // arg contains whitespace, store quotes around it
+                       // This condition checks whether we can allow to put
+                       // in two quote characters.
+                       if (n >= ((int)sizeof(com_cmdline) - 2))
+                               break;
                        com_cmdline[n++] = '\"';
+                       // This condition checks whether we can allow one
+                       // more character and a quote character.
                        while ((n < ((int)sizeof(com_cmdline) - 2)) && com_argv[j][i])
+                               // FIXME: Doesn't quote special characters.
                                com_cmdline[n++] = com_argv[j][i++];
                        com_cmdline[n++] = '\"';
                }
                else
                {
+                       // This condition checks whether we can allow one
+                       // more character.
                        while ((n < ((int)sizeof(com_cmdline) - 1)) && com_argv[j][i])
                                com_cmdline[n++] = com_argv[j][i++];
                }
@@ -2084,7 +2093,7 @@ void InfoString_SetValue(char *buffer, size_t bufferlength, const char *key, con
                Con_Printf("InfoString_SetValue: no room for \"%s\" \"%s\" in infostring\n", key, value);
                return;
        }
-       if (value && value[0])
+       if (value[0])
        {
                // set the key/value and append the remaining text
                char tempbuffer[MAX_INPUTLINE];