diff options
author | Haru <haru@dotalux.com> | 2018-02-13 01:29:48 +0100 |
---|---|---|
committer | Haru <haru@dotalux.com> | 2018-02-13 01:42:50 +0100 |
commit | 3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb (patch) | |
tree | 92b3224bd427cbfb6e13e3c2e3cfda5a9bea6aab /src/map/clif.c | |
parent | e47b550a0e6da897eeece63417ac35ec89dafd2d (diff) | |
download | hercules-3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb.tar.gz hercules-3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb.tar.bz2 hercules-3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb.tar.xz hercules-3c6f9eb913c643872f00fcd6d01bd3dc4c8b15fb.zip |
Fix unterminated strings in ZC_BATTLEFIELD_CHAT
Follow-up to #1890 (targeting the clients that were excluded)
The unterminated string could cause client crashes or trailing garbage
to be displayed when receiving a battlegrounds chat message, on various
client versions.
Signed-off-by: Haru <haru@dotalux.com>
Diffstat (limited to 'src/map/clif.c')
-rw-r--r-- | src/map/clif.c | 21 |
1 files changed, 9 insertions, 12 deletions
diff --git a/src/map/clif.c b/src/map/clif.c index 6e1cb4cf7..7c314b075 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -16566,18 +16566,15 @@ void clif_bg_message(struct battleground_data *bgd, int src_id, const char *name return; len = (int)strlen(mes); -#if PACKETVER <= 20120716 - len += 1; -#endif - Assert_retv(len <= INT16_MAX - NAME_LENGTH - 8); - buf = (unsigned char*)aMalloc((len + NAME_LENGTH + 8)*sizeof(unsigned char)); - - WBUFW(buf,0) = 0x2dc; - WBUFW(buf,2) = len + NAME_LENGTH + 8; - WBUFL(buf,4) = src_id; - memcpy(WBUFP(buf,8), name, NAME_LENGTH); - memcpy(WBUFP(buf,32), mes, len); // [!] no NUL terminator - clif->send(buf,WBUFW(buf,2), &sd->bl, BG); + Assert_retv(len <= INT16_MAX - NAME_LENGTH - 9); + buf = (unsigned char *)aCalloc(len + NAME_LENGTH + 9, sizeof(unsigned char)); + + WBUFW(buf, 0) = 0x2dc; + WBUFW(buf, 2) = len + NAME_LENGTH + 9; + WBUFL(buf, 4) = src_id; + safestrncpy(WBUFP(buf, 8), name, NAME_LENGTH); + safestrncpy(WBUFP(buf, 32), mes, len + 1); + clif->send(buf, WBUFW(buf, 2), &sd->bl, BG); aFree(buf); } |