From 531584b6485d4d6ac5bca2d26dfbe781ab806fd8 Mon Sep 17 00:00:00 2001
From: ai4rei <ai4rei@54d463be-8e91-2dee-dedb-b68131a5f0ec>
Date: Mon, 14 Feb 2011 12:49:08 +0000
Subject: [PATCH] * Fixed a crash when script 'npctalk' is given too long
 string (bugreport:4759, related r2145). - Fixed related buffer overflows in
 message related clif functions (since r1182, r14270).

git-svn-id: https://svn.code.sf.net/p/rathena/svn/trunk@14704 54d463be-8e91-2dee-dedb-b68131a5f0ec
---
 Changelog-Trunk.txt |  3 +++
 src/map/clif.c      | 18 ++++++++++++++++++
 src/map/script.c    | 14 +++++++-------
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt
index 689133ab7a..f720764576 100644
--- a/Changelog-Trunk.txt
+++ b/Changelog-Trunk.txt
@@ -1,5 +1,8 @@
 Date	Added
 
+2011/02/14
+	* Fixed a crash when script 'npctalk' is given too long string (bugreport:4759, related r2145). [Ai4rei]
+	- Fixed related buffer overflows in message related clif functions (since r1182, r14270).
 2011/02/09
 	* Fixed script command 'bpet' (Pet Incubator) displaying an empty egg list when attempting to hatch a pet while already having one out (bugreport:3313). [Ai4rei]
 2011/02/08
diff --git a/src/map/clif.c b/src/map/clif.c
index 4d3ca1b193..c8d0ad32d9 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -4930,6 +4930,12 @@ void clif_GlobalMessage(struct block_list* bl, const char* message)
 
 	len = strlen(message)+1;
 
+	if( len > sizeof(buf)-8 )
+	{
+		ShowWarning("clif_GlobalMessage: Truncating too long message '%s' (len=%d).\n", message, len);
+		len = sizeof(buf)-8;
+	}
+
 	WBUFW(buf,0)=0x8d;
 	WBUFW(buf,2)=len+8;
 	WBUFL(buf,4)=bl->id;
@@ -7513,6 +7519,12 @@ int clif_messagecolor(struct block_list* bl, unsigned long color, const char* ms
 
 	nullpo_ret(bl);
 
+	if( msg_len > sizeof(buf)-12 )
+	{
+		ShowWarning("clif_messagecolor: Truncating too long message '%s' (len=%u).\n", msg, msg_len);
+		msg_len = sizeof(buf)-12;
+	}
+
 	WBUFW(buf,0) = 0x2C1;
 	WBUFW(buf,2) = msg_len + 12;
 	WBUFL(buf,4) = bl->id;
@@ -7532,6 +7544,12 @@ int clif_message(struct block_list* bl, const char* msg)
 
 	nullpo_ret(bl);
 
+	if( msg_len > sizeof(buf)-8 )
+	{
+		ShowWarning("clif_message: Truncating too long message '%s' (len=%u).\n", msg, msg_len);
+		msg_len = sizeof(buf)-8;
+	}
+
 	WBUFW(buf,0) = 0x8d;
 	WBUFW(buf,2) = msg_len + 8;
 	WBUFL(buf,4) = bl->id;
diff --git a/src/map/script.c b/src/map/script.c
index df862dcc0a..bbb0041dec 100644
--- a/src/map/script.c
+++ b/src/map/script.c
@@ -11813,17 +11813,17 @@ BUILDIN_FUNC(message)
 BUILDIN_FUNC(npctalk)
 {
 	const char* str;
-	char message[255];
+	char name[NAME_LENGTH], message[256];
 
 	struct npc_data* nd = (struct npc_data *)map_id2bl(st->oid);
 	str = script_getstr(st,2);
 
-	if(nd) {
-		memcpy(message, nd->name, NAME_LENGTH);
-		strtok(message, "#"); // discard extra name identifier if present
-		strcat(message, " : ");
-		strncat(message, str, 254); //Prevent overflow possibility. [Skotlex]
-		clif_message(&(nd->bl), message);
+	if(nd)
+	{
+		safestrncpy(name, nd->name, sizeof(name));
+		strtok(name, "#"); // discard extra name identifier if present
+		safesnprintf(message, sizeof(message), "%s : %s", name, str);
+		clif_message(&nd->bl, message);
 	}
 
 	return 0;