From 61f870f921175e0d5fadcb2c318e94e102a0f594 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Wed, 2 May 2018 21:00:30 +0300 Subject: Fix possible wrong buffer size usage in clif.c. --- src/map/clif.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/map') diff --git a/src/map/clif.c b/src/map/clif.c index 47d5a1586..451b1fb17 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -19990,9 +19990,9 @@ void clif_rodex_send_maillist(int fd, struct map_session_data *sd, int8 open_typ } inner->Titlelength = (int16)strlen(msg->title) + 1; if (open_type != RODEX_OPENTYPE_RETURN) { - strncpy(inner->SenderName, msg->sender_name, sizeof(msg->sender_name)); + strncpy(inner->SenderName, msg->sender_name, sizeof(inner->SenderName)); } else { - strncpy(inner->SenderName, msg->receiver_name, sizeof(msg->receiver_name)); + strncpy(inner->SenderName, msg->receiver_name, sizeof(inner->SenderName)); } strncpy(inner->title, msg->title, inner->Titlelength); size += sizeof(*inner) + inner->Titlelength; @@ -20051,9 +20051,9 @@ void clif_rodex_send_mails_all(int fd, struct map_session_data *sd, int64 mail_i } inner->Titlelength = (int16)strlen(msg->title) + 1; if (msg->opentype != RODEX_OPENTYPE_RETURN) { - strncpy(inner->SenderName, msg->sender_name, sizeof(msg->sender_name)); + strncpy(inner->SenderName, msg->sender_name, sizeof(inner->SenderName)); } else { - strncpy(inner->SenderName, msg->receiver_name, sizeof(msg->receiver_name)); + strncpy(inner->SenderName, msg->receiver_name, sizeof(inner->SenderName)); } strncpy(inner->title, msg->title, inner->Titlelength); size += sizeof(*inner) + inner->Titlelength; @@ -20122,9 +20122,9 @@ void clif_rodex_send_refresh(int fd, struct map_session_data *sd, int8 open_type } inner->Titlelength = (int16)strlen(msg->title) + 1; if (open_type != RODEX_OPENTYPE_RETURN) { - strncpy(inner->SenderName, msg->sender_name, sizeof(msg->sender_name)); + strncpy(inner->SenderName, msg->sender_name, sizeof(inner->SenderName)); } else { - strncpy(inner->SenderName, msg->receiver_name, sizeof(msg->receiver_name)); + strncpy(inner->SenderName, msg->receiver_name, sizeof(inner->SenderName)); } strncpy(inner->title, msg->title, inner->Titlelength); size += sizeof(*inner) + inner->Titlelength; -- cgit v1.2.3-60-g2f50 From 4cf07e2dd8ead6470d15e254fdb0784329b4e131 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Wed, 2 May 2018 21:07:27 +0300 Subject: Fix possible buffer overflow in atcommand.c --- src/map/atcommand.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/map') diff --git a/src/map/atcommand.c b/src/map/atcommand.c index 9deed0098..90ba73fa6 100644 --- a/src/map/atcommand.c +++ b/src/map/atcommand.c @@ -6192,7 +6192,7 @@ ACMD(cleanarea) { *------------------------------------------*/ ACMD(npctalk) { - char name[NAME_LENGTH],mes[100],temp[100]; + char name[NAME_LENGTH], mes[100], temp[200]; struct npc_data *nd; bool ifcolor=(*(info->command + 7) != 'c' && *(info->command + 7) != 'C')?0:1; unsigned int color = 0; @@ -6229,7 +6229,7 @@ ACMD(npctalk) ACMD(pettalk) { - char mes[100],temp[100]; + char mes[100], temp[200]; struct pet_data *pd; if (battle_config.min_chat_delay) { @@ -7034,7 +7034,7 @@ ACMD(homhungry) *------------------------------------------*/ ACMD(homtalk) { - char mes[100],temp[100]; + char mes[100], temp[200]; if (battle_config.min_chat_delay) { if (DIFF_TICK(sd->cantalk_tick, timer->gettick()) > 0) -- cgit v1.2.3-60-g2f50 From ed8fac40e2d6cbf11b9a4a1a8182cd28871e3e6d Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Thu, 3 May 2018 04:31:43 +0300 Subject: Fix overflow in map zones. --- src/map/map.c | 14 ++++++++------ src/map/map.h | 2 +- 2 files changed, 9 insertions(+), 7 deletions(-) (limited to 'src/map') diff --git a/src/map/map.c b/src/map/map.c index 90b304865..8386b3c3d 100644 --- a/src/map/map.c +++ b/src/map/map.c @@ -5119,11 +5119,12 @@ bool map_zone_mf_cache(int m, char *flag, char *params) { } } else if (!strcmpi(flag,"adjust_unit_duration")) { int skill_id, k; - char skill_name[MAP_ZONE_MAPFLAG_LENGTH], modifier[MAP_ZONE_MAPFLAG_LENGTH]; - size_t len = strlen(params); + char skill_name[MAX_SKILL_NAME_LENGTH], modifier[MAP_ZONE_MAPFLAG_LENGTH]; + size_t len; modifier[0] = '\0'; - memcpy(skill_name, params, MAP_ZONE_MAPFLAG_LENGTH); + safestrncpy(skill_name, params, MAX_SKILL_NAME_LENGTH); + len = strlen(skill_name); for(k = 0; k < len; k++) { if( skill_name[k] == '\t' ) { @@ -5152,11 +5153,12 @@ bool map_zone_mf_cache(int m, char *flag, char *params) { } } else if (!strcmpi(flag,"adjust_skill_damage")) { int skill_id, k; - char skill_name[MAP_ZONE_MAPFLAG_LENGTH], modifier[MAP_ZONE_MAPFLAG_LENGTH]; - size_t len = strlen(params); + char skill_name[MAX_SKILL_NAME_LENGTH], modifier[MAP_ZONE_MAPFLAG_LENGTH]; + size_t len; modifier[0] = '\0'; - memcpy(skill_name, params, MAP_ZONE_MAPFLAG_LENGTH); + safestrncpy(skill_name, params, MAX_SKILL_NAME_LENGTH); + len = strlen(skill_name); for(k = 0; k < len; k++) { if( skill_name[k] == '\t' ) { diff --git a/src/map/map.h b/src/map/map.h index d6afdc160..0618b0da8 100644 --- a/src/map/map.h +++ b/src/map/map.h @@ -740,7 +740,7 @@ enum map_zone_merge_type { #define MAP_ZONE_BG_NAME "Battlegrounds" #define MAP_ZONE_CVC_NAME "CvC" #define MAP_ZONE_PK_NAME "PK Mode" -#define MAP_ZONE_MAPFLAG_LENGTH 50 +#define MAP_ZONE_MAPFLAG_LENGTH 65 struct map_zone_data { char name[MAP_ZONE_NAME_LENGTH];/* 20'd */ -- cgit v1.2.3-60-g2f50