fixed a few buffer overruns

strncpy does not always terminate strings. Unterminated strings (without a length) are bad. So better terminate them.
author: Helmut Grohne <helmut@subdivi.de> 2010-01-19 20:24:19 +0100
committer: Jared Adams <jaxad0127@gmail.com> 2010-01-19 18:39:39 +0000
commit: 67e82f1a0bc2a9078cfe11e0add190fa7cc4b891 (patch)
tree: ec2f2134d4c6b1a037c18fb65bdd3ef18a4efb8e /src/map
parent: abe96e3b05a99a984d6f00098f1aa9759814b542 (diff)
download: tmwa-67e82f1a0bc2a9078cfe11e0add190fa7cc4b891.tar.gz
tmwa-67e82f1a0bc2a9078cfe11e0add190fa7cc4b891.tar.bz2
tmwa-67e82f1a0bc2a9078cfe11e0add190fa7cc4b891.tar.xz
tmwa-67e82f1a0bc2a9078cfe11e0add190fa7cc4b891.zip
5 files changed, 19 insertions, 12 deletions
diff --git a/src/map/chrif.c b/src/map/chrif.c
index c4a528b..1f5673a 100644
--- a/src/map/chrif.c
+++ b/src/map/chrif.c
@@ -51,7 +51,8 @@ static int chrif_state;
  */
 void chrif_setuserid (char *id)
 {
-    strncpy (userid, id, 24);
+    strncpy (userid, id, sizeof(userid)-1);
+    userid[sizeof(userid)-1] = '\0';
 }
 
 /*==========================================
@@ -60,7 +61,8 @@ void chrif_setuserid (char *id)
  */
 void chrif_setpasswd (char *pwd)
 {
-    strncpy (passwd, pwd, 24);
+    strncpy (passwd, pwd, sizeof(passwd)-1);
+    passwd[sizeof(passwd)-1] = '\0';
 }
 
 /*==========================================
@@ -69,7 +71,8 @@ void chrif_setpasswd (char *pwd)
  */
 void chrif_setip (char *ip)
 {
-    strncpy (char_ip_str, ip, 16);
+    strncpy (char_ip_str, ip, sizeof(char_ip_str)-1);
+    char_ip_str[sizeof(char_ip_str)-1] = '\0';
     char_ip = inet_addr (char_ip_str);
 }
 
diff --git a/src/map/clif.c b/src/map/clif.c
index c3099d7..86be79c 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -8204,14 +8204,14 @@ void clif_parse_NpcStringInput (int fd, struct map_session_data *sd)
 
     len = RFIFOW (fd, 2) - 7;
 
-    if (len >= sizeof (sd->npc_str))
+    if (len >= sizeof (sd->npc_str)-1)
     {
         printf ("clif: input string too long !\n");
         memcpy (sd->npc_str, RFIFOP (fd, 8), sizeof (sd->npc_str));
-        sd->npc_str[sizeof (sd->npc_str) - 1] = 0;
     }
     else
         strncpy (sd->npc_str, RFIFOP (fd, 8), len);
+    sd->npc_str[sizeof (sd->npc_str) - 1] = 0;
     map_scriptcont (sd, RFIFOL (fd, 4));
 }
 
diff --git a/src/map/npc.c b/src/map/npc.c
index 49fe578..4ff5ba2 100644
--- a/src/map/npc.c
+++ b/src/map/npc.c
@@ -321,7 +321,8 @@ int npc_event_doall_l (const char *name, int rid, int argc, argrec_t * args)
     int  c = 0;
     char buf[64] = "::";
 
-    strncpy (buf + 2, name, 62);
+    strncpy (buf + 2, name, sizeof(buf)-3);
+    buf[sizeof(buf)-1] = '\0';
     strdb_foreach (ev_db, npc_event_doall_sub, &c, buf, rid, argc, args);
     return c;
 }
@@ -1477,7 +1478,8 @@ int npc_convertlabel_db (void *key, void *data, va_list ap)
                                                 * (num + 1));
 
     *p = '\0';
-    strncpy (lst[num].name, lname, 24);
+    strncpy (lst[num].name, lname, sizeof(lst[num].name)-1);
+    lst[num].name[sizeof(lst[num].name)-1] = '\0';
     *p = ':';
     lst[num].pos = pos;
     nd->u.scr.label_list = lst;
@@ -1856,7 +1858,7 @@ static int npc_parse_function (char *w1, char *w2, char *w3, char *w4,
 
     p = (char *) aCalloc (50, sizeof (char));
 
-    strncpy (p, w3, 50);
+    strncpy (p, w3, 49);
     strdb_insert (script_get_userfunc_db (), p, script);
 
 //  label_db=script_get_label_db();
diff --git a/src/map/pc.c b/src/map/pc.c
index 689bcd2..9741852 100644
--- a/src/map/pc.c
+++ b/src/map/pc.c
@@ -8359,7 +8359,8 @@ int pc_setsavepoint (struct map_session_data *sd, char *mapname, int x, int y)
 {
     nullpo_retr (0, sd);
 
-    strncpy (sd->status.save_point.map, mapname, 24);
+    strncpy (sd->status.save_point.map, mapname, 23);
+    sd->status.save_point.map[23] = '\0';
     sd->status.save_point.x = x;
     sd->status.save_point.y = y;
 
diff --git a/src/map/script.c b/src/map/script.c
index bbde20c..03a092e 100644
--- a/src/map/script.c
+++ b/src/map/script.c
@@ -5691,7 +5691,7 @@ int buildin_getcastlename (struct script_state *st)
             if (strcmp (mapname, gc->map_name) == 0)
             {
                 buf = (char *) aCalloc (24, sizeof (char));
-                strncpy (buf, gc->castle_name, 24);
+                strncpy (buf, gc->castle_name, 23);
                 break;
             }
         }
@@ -6942,10 +6942,10 @@ int buildin_getsavepoint (struct script_state *st)
 
     x = sd->status.save_point.x;
     y = sd->status.save_point.y;
-    strncpy (mapname, sd->status.save_point.map, 24);
     switch (type)
     {
         case 0:
+            strncpy (mapname, sd->status.save_point.map, 23);
             push_str (st->stack, C_STR, mapname);
             break;
         case 1:
@@ -7068,7 +7068,8 @@ int buildin_fakenpcname (struct script_state *st)
     nd = npc_name2id (name);
     if (!nd)
         return 1;
-    strncpy (nd->name, newname, 24);
+    strncpy (nd->name, newname, sizeof(nd->name)-1);
+    nd->name[sizeof(nd->name)-1] = '\0';
     nd->class = newsprite;
 
     // Refresh this npc
author	Helmut Grohne <helmut@subdivi.de>	2010-01-19 20:24:19 +0100
committer	Jared Adams <jaxad0127@gmail.com>	2010-01-19 18:39:39 +0000
commit	67e82f1a0bc2a9078cfe11e0add190fa7cc4b891 (patch)
tree	ec2f2134d4c6b1a037c18fb65bdd3ef18a4efb8e /src/map
parent	abe96e3b05a99a984d6f00098f1aa9759814b542 (diff)
download	tmwa-67e82f1a0bc2a9078cfe11e0add190fa7cc4b891.tar.gz tmwa-67e82f1a0bc2a9078cfe11e0add190fa7cc4b891.tar.bz2 tmwa-67e82f1a0bc2a9078cfe11e0add190fa7cc4b891.tar.xz tmwa-67e82f1a0bc2a9078cfe11e0add190fa7cc4b891.zip