summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Changelog-Trunk.txt3
-rw-r--r--src/map/clif.c18
-rw-r--r--src/map/script.c14
3 files changed, 28 insertions, 7 deletions
diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt
index 689133ab7..f72076457 100644
--- a/Changelog-Trunk.txt
+++ b/Changelog-Trunk.txt
@@ -1,5 +1,8 @@
Date Added
+2011/02/14
+ * Fixed a crash when script 'npctalk' is given too long string (bugreport:4759, related r2145). [Ai4rei]
+ - Fixed related buffer overflows in message related clif functions (since r1182, r14270).
2011/02/09
* Fixed script command 'bpet' (Pet Incubator) displaying an empty egg list when attempting to hatch a pet while already having one out (bugreport:3313). [Ai4rei]
2011/02/08
diff --git a/src/map/clif.c b/src/map/clif.c
index 4d3ca1b19..c8d0ad32d 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -4930,6 +4930,12 @@ void clif_GlobalMessage(struct block_list* bl, const char* message)
len = strlen(message)+1;
+ if( len > sizeof(buf)-8 )
+ {
+ ShowWarning("clif_GlobalMessage: Truncating too long message '%s' (len=%d).\n", message, len);
+ len = sizeof(buf)-8;
+ }
+
WBUFW(buf,0)=0x8d;
WBUFW(buf,2)=len+8;
WBUFL(buf,4)=bl->id;
@@ -7513,6 +7519,12 @@ int clif_messagecolor(struct block_list* bl, unsigned long color, const char* ms
nullpo_ret(bl);
+ if( msg_len > sizeof(buf)-12 )
+ {
+ ShowWarning("clif_messagecolor: Truncating too long message '%s' (len=%u).\n", msg, msg_len);
+ msg_len = sizeof(buf)-12;
+ }
+
WBUFW(buf,0) = 0x2C1;
WBUFW(buf,2) = msg_len + 12;
WBUFL(buf,4) = bl->id;
@@ -7532,6 +7544,12 @@ int clif_message(struct block_list* bl, const char* msg)
nullpo_ret(bl);
+ if( msg_len > sizeof(buf)-8 )
+ {
+ ShowWarning("clif_message: Truncating too long message '%s' (len=%u).\n", msg, msg_len);
+ msg_len = sizeof(buf)-8;
+ }
+
WBUFW(buf,0) = 0x8d;
WBUFW(buf,2) = msg_len + 8;
WBUFL(buf,4) = bl->id;
diff --git a/src/map/script.c b/src/map/script.c
index df862dcc0..bbb0041de 100644
--- a/src/map/script.c
+++ b/src/map/script.c
@@ -11813,17 +11813,17 @@ BUILDIN_FUNC(message)
BUILDIN_FUNC(npctalk)
{
const char* str;
- char message[255];
+ char name[NAME_LENGTH], message[256];
struct npc_data* nd = (struct npc_data *)map_id2bl(st->oid);
str = script_getstr(st,2);
- if(nd) {
- memcpy(message, nd->name, NAME_LENGTH);
- strtok(message, "#"); // discard extra name identifier if present
- strcat(message, " : ");
- strncat(message, str, 254); //Prevent overflow possibility. [Skotlex]
- clif_message(&(nd->bl), message);
+ if(nd)
+ {
+ safestrncpy(name, nd->name, sizeof(name));
+ strtok(name, "#"); // discard extra name identifier if present
+ safesnprintf(message, sizeof(message), "%s : %s", name, str);
+ clif_message(&nd->bl, message);
}
return 0;