diff options
| author | ai4rei <ai4rei@54d463be-8e91-2dee-dedb-b68131a5f0ec> | 2011-02-14 12:49:08 +0000 |
|---|---|---|
| committer | ai4rei <ai4rei@54d463be-8e91-2dee-dedb-b68131a5f0ec> | 2011-02-14 12:49:08 +0000 |
| commit | 66a2591b0efac372690b707ed1020a376f260ded (patch) | |
| tree | be730d633c409a33b26d37974ef84c520fa80c8a /src/map/clif.c | |
| parent | 71bce4923da7217a0836e151e23248e836444600 (diff) | |
| download | hercules-66a2591b0efac372690b707ed1020a376f260ded.tar.gz hercules-66a2591b0efac372690b707ed1020a376f260ded.tar.bz2 hercules-66a2591b0efac372690b707ed1020a376f260ded.tar.xz hercules-66a2591b0efac372690b707ed1020a376f260ded.zip | |
* Fixed a crash when script 'npctalk' is given too long string (bugreport:4759, related r2145).
- Fixed related buffer overflows in message related clif functions (since r1182, r14270).
git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@14704 54d463be-8e91-2dee-dedb-b68131a5f0ec
Diffstat (limited to 'src/map/clif.c')
| -rw-r--r-- | src/map/clif.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/src/map/clif.c b/src/map/clif.c index 4d3ca1b19..c8d0ad32d 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -4930,6 +4930,12 @@ void clif_GlobalMessage(struct block_list* bl, const char* message) len = strlen(message)+1; + if( len > sizeof(buf)-8 ) + { + ShowWarning("clif_GlobalMessage: Truncating too long message '%s' (len=%d).\n", message, len); + len = sizeof(buf)-8; + } + WBUFW(buf,0)=0x8d; WBUFW(buf,2)=len+8; WBUFL(buf,4)=bl->id; @@ -7513,6 +7519,12 @@ int clif_messagecolor(struct block_list* bl, unsigned long color, const char* ms nullpo_ret(bl); + if( msg_len > sizeof(buf)-12 ) + { + ShowWarning("clif_messagecolor: Truncating too long message '%s' (len=%u).\n", msg, msg_len); + msg_len = sizeof(buf)-12; + } + WBUFW(buf,0) = 0x2C1; WBUFW(buf,2) = msg_len + 12; WBUFL(buf,4) = bl->id; @@ -7532,6 +7544,12 @@ int clif_message(struct block_list* bl, const char* msg) nullpo_ret(bl); + if( msg_len > sizeof(buf)-8 ) + { + ShowWarning("clif_message: Truncating too long message '%s' (len=%u).\n", msg, msg_len); + msg_len = sizeof(buf)-8; + } + WBUFW(buf,0) = 0x8d; WBUFW(buf,2) = msg_len + 8; WBUFL(buf,4) = bl->id; |