okseby/Quake-III-Arena
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add string length checking to function COM_StripExtension. This fixes the R_RemapShader buffer overflow exploit that can be found here:

Browse source 
http://milw0rm.com/exploits/1750
This commit is contained in:
Thilo Schulz 2006-05-06 01:56:24 +00:00
parent 2e368c02a6
commit d21411452e
13 changed files with 22 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

6
code/renderer/tr_shader.c
View file

@ -95,7 +95,7 @@ void R_RemapShader(const char *shaderName, const char *newShaderName, const char
// remap all the shaders with the given name
// even tho they might have different lightmaps
COM_StripExtension( shaderName, strippedName );
COM_StripExtension(shaderName, strippedName, sizeof(strippedName));
hash = generateHashValue(strippedName, FILE_HASH_SIZE);
for (sh = hashTable[hash]; sh; sh = sh->next) {
if (Q_stricmp(sh->name, strippedName) == 0) {
@ -2365,7 +2365,7 @@ shader_t *R_FindShaderByName( const char *name ) {
return tr.defaultShader;
}
COM_StripExtension( name, strippedName );
COM_StripExtension(name, strippedName, sizeof(strippedName));
hash = generateHashValue(strippedName, FILE_HASH_SIZE);
@ -2433,7 +2433,7 @@ shader_t *R_FindShader( const char *name, int lightmapIndex, qboolean mipRawImag
lightmapIndex = LIGHTMAP_BY_VERTEX;
}
COM_StripExtension( name, strippedName );
COM_StripExtension(name, strippedName, sizeof(strippedName));
hash = generateHashValue(strippedName, FILE_HASH_SIZE);