ref: f7b428752fce30cf49fb1d5b28154921931463d7
parent: 143f3b96460efad75ba1f0d2a7823f5f075cf17d
parent: 90de32a83d7fcd335a883dee2ae95848635f1633
author: Clownacy <Clownacy@users.noreply.github.com>
date: Thu Jul 2 11:52:53 EDT 2020
Merge pull request #137 from GabrielRavier/accurateFixBugsTscBufferSizeCrash accurate: Do not crash when TSC files are too big with FIX_BUGS
--- a/src/TextScr.cpp
+++ b/src/TextScr.cpp
@@ -167,6 +167,13 @@
if (head_size == INVALID_FILE_SIZE)
return FALSE;
+#ifdef FIX_BUGS
+ // The original doesn't check for any kind of buffer overflow here, so feeding in a 1 MiB Head.tsc
+ // (assuming an unchanged TSC_BUFFER_SIZE) would be sure to crash the game, for example.
+ if (head_size > TSC_BUFFER_SIZE)
+ return FALSE;
+#endif
+
fp = fopen(path, "rb");
if (fp == NULL)
return FALSE;
@@ -183,6 +190,12 @@
body_size = GetFileSizeLong(path);
if (body_size == INVALID_FILE_SIZE)
return FALSE;
+
+#ifdef FIX_BUGS
+ // Same as above: the original doesn't bother checking, and may crash on large-enough input
+ if (head_size + body_size > TSC_BUFFER_SIZE)
+ return FALSE;
+#endif
fp = fopen(path, "rb");
if (fp == NULL)