Mirroristas/rathena
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Fixed a crash when script 'npctalk' is given too long string (bugreport:4759, related r2145).

Browse Source 
- Fixed related buffer overflows in message related clif functions (since r1182, r14270).

git-svn-id: https://svn.code.sf.net/p/rathena/svn/trunk@14704 54d463be-8e91-2dee-dedb-b68131a5f0ec
This commit is contained in:
ai4rei 2011-02-14 12:49:08 +00:00
parent 90a0575afa
commit 531584b648
3 changed files with 28 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Changelog-Trunk.txt
View File

@ -1,5 +1,8 @@
Date Added
2011/02/14
* Fixed a crash when script 'npctalk' is given too long string (bugreport:4759, related r2145). [Ai4rei]
- Fixed related buffer overflows in message related clif functions (since r1182, r14270).
2011/02/09
* Fixed script command 'bpet' (Pet Incubator) displaying an empty egg list when attempting to hatch a pet while already having one out (bugreport:3313). [Ai4rei]
2011/02/08

18
src/map/clif.c
View File

@ -4930,6 +4930,12 @@ void clif_GlobalMessage(struct block_list* bl, const char* message)
len = strlen(message)+1;
if( len > sizeof(buf)-8 )
{
ShowWarning("clif_GlobalMessage: Truncating too long message '%s' (len=%d).\n", message, len);
len = sizeof(buf)-8;
}
WBUFW(buf,0)=0x8d;
WBUFW(buf,2)=len+8;
WBUFL(buf,4)=bl->id;
@ -7513,6 +7519,12 @@ int clif_messagecolor(struct block_list* bl, unsigned long color, const char* ms
nullpo_ret(bl);
if( msg_len > sizeof(buf)-12 )
{
ShowWarning("clif_messagecolor: Truncating too long message '%s' (len=%u).\n", msg, msg_len);
msg_len = sizeof(buf)-12;
}
WBUFW(buf,0) = 0x2C1;
WBUFW(buf,2) = msg_len + 12;
WBUFL(buf,4) = bl->id;
@ -7532,6 +7544,12 @@ int clif_message(struct block_list* bl, const char* msg)
nullpo_ret(bl);
if( msg_len > sizeof(buf)-8 )
{
ShowWarning("clif_message: Truncating too long message '%s' (len=%u).\n", msg, msg_len);
msg_len = sizeof(buf)-8;
}
WBUFW(buf,0) = 0x8d;
WBUFW(buf,2) = msg_len + 8;
WBUFL(buf,4) = bl->id;

14
src/map/script.c
View File

@ -11813,17 +11813,17 @@ BUILDIN_FUNC(message)
BUILDIN_FUNC(npctalk)
{
const char* str;
char message[255];
char name[NAME_LENGTH], message[256];
struct npc_data* nd = (struct npc_data *)map_id2bl(st->oid);
str = script_getstr(st,2);
if(nd) {
memcpy(message, nd->name, NAME_LENGTH);
strtok(message, "#"); // discard extra name identifier if present
strcat(message, " : ");
strncat(message, str, 254); //Prevent overflow possibility. [Skotlex]
clif_message(&(nd->bl), message);
if(nd)
{
safestrncpy(name, nd->name, sizeof(name));
strtok(name, "#"); // discard extra name identifier if present
safesnprintf(message, sizeof(message), "%s : %s", name, str);
clif_message(&nd->bl, message);
}
return 0;