diff options
-rw-r--r-- | Changelog-Trunk.txt | 3 | ||||
-rw-r--r-- | src/map/clif.c | 18 | ||||
-rw-r--r-- | src/map/script.c | 14 |
3 files changed, 28 insertions, 7 deletions
diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt index 689133ab7..f72076457 100644 --- a/Changelog-Trunk.txt +++ b/Changelog-Trunk.txt @@ -1,5 +1,8 @@ Date Added +2011/02/14 + * Fixed a crash when script 'npctalk' is given too long string (bugreport:4759, related r2145). [Ai4rei] + - Fixed related buffer overflows in message related clif functions (since r1182, r14270). 2011/02/09 * Fixed script command 'bpet' (Pet Incubator) displaying an empty egg list when attempting to hatch a pet while already having one out (bugreport:3313). [Ai4rei] 2011/02/08 diff --git a/src/map/clif.c b/src/map/clif.c index 4d3ca1b19..c8d0ad32d 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -4930,6 +4930,12 @@ void clif_GlobalMessage(struct block_list* bl, const char* message) len = strlen(message)+1; + if( len > sizeof(buf)-8 ) + { + ShowWarning("clif_GlobalMessage: Truncating too long message '%s' (len=%d).\n", message, len); + len = sizeof(buf)-8; + } + WBUFW(buf,0)=0x8d; WBUFW(buf,2)=len+8; WBUFL(buf,4)=bl->id; @@ -7513,6 +7519,12 @@ int clif_messagecolor(struct block_list* bl, unsigned long color, const char* ms nullpo_ret(bl); + if( msg_len > sizeof(buf)-12 ) + { + ShowWarning("clif_messagecolor: Truncating too long message '%s' (len=%u).\n", msg, msg_len); + msg_len = sizeof(buf)-12; + } + WBUFW(buf,0) = 0x2C1; WBUFW(buf,2) = msg_len + 12; WBUFL(buf,4) = bl->id; @@ -7532,6 +7544,12 @@ int clif_message(struct block_list* bl, const char* msg) nullpo_ret(bl); + if( msg_len > sizeof(buf)-8 ) + { + ShowWarning("clif_message: Truncating too long message '%s' (len=%u).\n", msg, msg_len); + msg_len = sizeof(buf)-8; + } + WBUFW(buf,0) = 0x8d; WBUFW(buf,2) = msg_len + 8; WBUFL(buf,4) = bl->id; diff --git a/src/map/script.c b/src/map/script.c index df862dcc0..bbb0041de 100644 --- a/src/map/script.c +++ b/src/map/script.c @@ -11813,17 +11813,17 @@ BUILDIN_FUNC(message) BUILDIN_FUNC(npctalk) { const char* str; - char message[255]; + char name[NAME_LENGTH], message[256]; struct npc_data* nd = (struct npc_data *)map_id2bl(st->oid); str = script_getstr(st,2); - if(nd) { - memcpy(message, nd->name, NAME_LENGTH); - strtok(message, "#"); // discard extra name identifier if present - strcat(message, " : "); - strncat(message, str, 254); //Prevent overflow possibility. [Skotlex] - clif_message(&(nd->bl), message); + if(nd) + { + safestrncpy(name, nd->name, sizeof(name)); + strtok(name, "#"); // discard extra name identifier if present + safesnprintf(message, sizeof(message), "%s : %s", name, str); + clif_message(&nd->bl, message); } return 0; |