summaryrefslogtreecommitdiff
path: root/src/map/clif.c
diff options
context:
space:
mode:
authorHaru <haru@dotalux.com>2018-02-13 01:29:48 +0100
committerHaru <haru@dotalux.com>2018-02-13 01:42:50 +0100
commit3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb (patch)
tree92b3224bd427cbfb6e13e3c2e3cfda5a9bea6aab /src/map/clif.c
parente47b550a0e6da897eeece63417ac35ec89dafd2d (diff)
downloadhercules-3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb.tar.gz
hercules-3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb.tar.bz2
hercules-3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb.tar.xz
hercules-3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb.zip
Fix unterminated strings in ZC_BATTLEFIELD_CHAT
Follow-up to #1890 (targeting the clients that were excluded) The unterminated string could cause client crashes or trailing garbage to be displayed when receiving a battlegrounds chat message, on various client versions. Signed-off-by: Haru <haru@dotalux.com>
Diffstat (limited to 'src/map/clif.c')
-rw-r--r--src/map/clif.c21
1 files changed, 9 insertions, 12 deletions
diff --git a/src/map/clif.c b/src/map/clif.c
index 6e1cb4cf7..7c314b075 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -16566,18 +16566,15 @@ void clif_bg_message(struct battleground_data *bgd, int src_id, const char *name
return;
len = (int)strlen(mes);
-#if PACKETVER <= 20120716
- len += 1;
-#endif
- Assert_retv(len <= INT16_MAX - NAME_LENGTH - 8);
- buf = (unsigned char*)aMalloc((len + NAME_LENGTH + 8)*sizeof(unsigned char));
-
- WBUFW(buf,0) = 0x2dc;
- WBUFW(buf,2) = len + NAME_LENGTH + 8;
- WBUFL(buf,4) = src_id;
- memcpy(WBUFP(buf,8), name, NAME_LENGTH);
- memcpy(WBUFP(buf,32), mes, len); // [!] no NUL terminator
- clif->send(buf,WBUFW(buf,2), &sd->bl, BG);
+ Assert_retv(len <= INT16_MAX - NAME_LENGTH - 9);
+ buf = (unsigned char *)aCalloc(len + NAME_LENGTH + 9, sizeof(unsigned char));
+
+ WBUFW(buf, 0) = 0x2dc;
+ WBUFW(buf, 2) = len + NAME_LENGTH + 9;
+ WBUFL(buf, 4) = src_id;
+ safestrncpy(WBUFP(buf, 8), name, NAME_LENGTH);
+ safestrncpy(WBUFP(buf, 32), mes, len + 1);
+ clif->send(buf, WBUFW(buf, 2), &sd->bl, BG);
aFree(buf);
}