Add string length checking to function COM_StripExtension. This fixes the R_RemapShader buffer overflow exploit that can be found here:

http://milw0rm.com/exploits/1750
2006-05-06 01:56:24 +00:00 · 2006-05-06 01:56:24 +00:00 · d21411452e
commit d21411452e
parent 2e368c02a6
13 changed files with 22 additions and 22 deletions
--- a/code/q3_ui/ui_playermodel.c
+++ b/code/q3_ui/ui_playermodel.c
@ -391,7 +391,7 @@ static void PlayerModel_BuildList( void )
 	int		numfiles;
 	char	dirlist[2048];
 	char	filelist[2048];
-	char	skinname[64];
+	char	skinname[MAX_QPATH];
 	char*	dirptr;
 	char*	fileptr;
 	int		i;
@ -424,7 +424,7 @@ static void PlayerModel_BuildList( void )
 		{
 			filelen = strlen(fileptr);

-			COM_StripExtension(fileptr,skinname);
+			COM_StripExtension(fileptr,skinname, sizeof(skinname));

 			// look for icon_????
 			if (!Q_stricmpn(skinname,"icon_",5))