Merge pull request #167 from samisalreadytaken/secfix

Security fixes
mapbase-source · Jan 9, 2022 · ea7a8cd · ea7a8cd
2 parents 214f79e + 74d219a
commit ea7a8cd
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 13 deletions.
diff --git a/sp/src/game/client/hud_closecaption.cpp b/sp/src/game/client/hud_closecaption.cpp
@@ -1302,7 +1302,7 @@ void CHudCloseCaption::Reset( void )
 	Unlock();
 }
 
-bool CHudCloseCaption::SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t *args ) const
+bool CHudCloseCaption::SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t *args, int size ) const
 {
 	const wchar_t *in = *ppIn;
 	const wchar_t *oldin = in;
@@ -1317,8 +1317,11 @@ bool CHudCloseCaption::SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t
 	cmd[ 0 ]= 0;
 	wchar_t *out = cmd;
 	in++;
-	while ( *in != L'\0' && *in != L':' && *in != L'>' && !isspace( *in ) )
+	while ( *in != L'\0' && *in != L':' && *in != L'>' && !V_isspace( *in ) )
 	{
+		if ( (int)( out - cmd ) + (int)sizeof( wchar_t ) >= size )
+			break;
+
 		*out++ = *in++;
 	}
 	*out = L'\0';
@@ -1333,6 +1336,9 @@ bool CHudCloseCaption::SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t
 	out = args;
 	while ( *in != L'\0' && *in != L'>' )
 	{
+		if ( (int)( out - args ) + (int)sizeof( wchar_t ) >= size )
+			break;
+
 		*out++ = *in++;
 	}
 	*out = L'\0';
@@ -1360,7 +1366,7 @@ bool CHudCloseCaption::GetFloatCommandValue( const wchar_t *stream, const wchar_
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, findcmd ) )
 			{
@@ -1384,7 +1390,7 @@ bool CHudCloseCaption::StreamHasCommand( const wchar_t *stream, const wchar_t *f
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, findcmd ) )
 			{
@@ -1423,7 +1429,7 @@ bool CHudCloseCaption::StreamHasCommand( const wchar_t *stream, const wchar_t *s
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, search ) )
 			{
@@ -1515,7 +1521,7 @@ void CHudCloseCaption::Process( const wchar_t *stream, float duration, const cha
 
 		const wchar_t *prevpos = curpos;
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, L"delay" ) )
 			{
@@ -1722,7 +1728,7 @@ void CHudCloseCaption::ComputeStreamWork( int available_width, CCloseCaptionItem
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, L"cr" ) )
 			{
@@ -1976,7 +1982,7 @@ bool CHudCloseCaption::GetNoRepeatValue( const wchar_t *caption, float &retval )
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, L"norepeat" ) )
 			{

diff --git a/sp/src/game/client/hud_closecaption.h b/sp/src/game/client/hud_closecaption.h
@@ -179,7 +179,7 @@ class CHudCloseCaption : public CHudElement, public vgui::Panel
 
 	void	DrawStream( wrect_t& rect, wrect_t &rcWindow, CCloseCaptionItem *item, int iFadeLine, float flFadeLineAlpha ); 
 	void	ComputeStreamWork( int available_width, CCloseCaptionItem *item );
-	bool	SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t *args ) const;
+	bool	SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t *args, int size ) const;
 
 	bool	StreamHasCommand( const wchar_t *stream, const wchar_t *findcmd ) const;
 	bool	GetFloatCommandValue( const wchar_t *stream, const wchar_t *findcmd, float& value ) const;

diff --git a/sp/src/game/client/vgui_debugoverlaypanel.cpp b/sp/src/game/client/vgui_debugoverlaypanel.cpp
@@ -129,7 +129,7 @@ void CDebugOverlay::Paint()
 				{
 					float xPos		= screenPos[0];
 					float yPos		= screenPos[1]+ (pCurrText->lineOffset*13); // Line spacing;
-					g_pMatSystemSurface->DrawColoredText( m_hFont, xPos, yPos, r, g, b, a, pCurrText->text );
+					g_pMatSystemSurface->DrawColoredText( m_hFont, xPos, yPos, r, g, b, a, "%s", pCurrText->text );
 				}
 			}
 			else
@@ -138,7 +138,7 @@ void CDebugOverlay::Paint()
 				{	
 					float xPos		= screenPos[0];
 					float yPos		= screenPos[1]+ (pCurrText->lineOffset*13); // Line spacing;
-					g_pMatSystemSurface->DrawColoredText( m_hFont, xPos, yPos, r, g, b, a, pCurrText->text );
+					g_pMatSystemSurface->DrawColoredText( m_hFont, xPos, yPos, r, g, b, a, "%s", pCurrText->text );
 				}
 			}
 		}

diff --git a/sp/src/game/shared/mapbase/vscript_funcs_shared.cpp b/sp/src/game/shared/mapbase/vscript_funcs_shared.cpp
@@ -929,7 +929,7 @@ bool ScriptIsClient()
 // Notification printing on the right edge of the screen
 void NPrint( int pos, const char* fmt )
 {
-	engine->Con_NPrintf(pos, fmt);
+	engine->Con_NPrintf( pos, "%s", fmt );
 }
 
 void NXPrint( int pos, int r, int g, int b, bool fixed, float ftime, const char* fmt )
@@ -943,7 +943,7 @@ void NXPrint( int pos, int r, int g, int b, bool fixed, float ftime, const char*
 	info.color[2] = b / 255.f;
 	info.fixed_width_font = fixed;
 
-	engine->Con_NXPrintf( &info, fmt );
+	engine->Con_NXPrintf( &info, "%s", fmt );
 }
 
 static float IntervalPerTick()