shithub: choc

Download patch

ref: ffa290d23c4a9b90341306866eb53f5a1b3f19aa
parent: 55fb41791d467a8c6b1609770c9cc3348079b5cb
author: Simon Howard <fraggle@soulsphere.org>
date: Fri Jan 5 15:44:51 EST 2018 

hexen: Validate strings during header parsing.

Strings must be terminated with a NUL before the end of the lump is
reached; if not they are invalid. Check that this really is the case.


--- a/src/hexen/p_acs.c
+++ b/src/hexen/p_acs.c
@@ -447,7 +447,7 @@
 
 void P_LoadACScripts(int lump)
 {
-    int i;
+    int i, offset;
     acsHeader_t *header;
     acsInfo_t *info;
 
@@ -500,7 +500,10 @@
 
     for (i=0; i<ACStringCount; ++i)
     {
-        ACStrings[i] = (char *) ActionCodeBase + ReadOffset();
+        offset = ReadOffset();
+        ACStrings[i] = (char *) ActionCodeBase + offset;
+        ACSAssert(memchr(ACStrings[i], '\0', ActionCodeSize - offset) != NULL,
+                  "string %d missing terminating NUL", i);
     }
 
     memset(MapVars, 0, sizeof(MapVars));