From c46162469a296999834c77a73ddf8202e3cbd95b Mon Sep 17 00:00:00 2001 From: Andrey Akhmichin <15944199+nekonomicon@users.noreply.github.com> Date: Thu, 19 Sep 2024 01:33:43 +0500 Subject: [PATCH] Additional bounds checks on client-side. --- cl_dll/ammo.cpp | 19 ++++++++++++++++++- cl_dll/hud_spectator.cpp | 4 +++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/cl_dll/ammo.cpp b/cl_dll/ammo.cpp index 81302a35..68b0314e 100644 --- a/cl_dll/ammo.cpp +++ b/cl_dll/ammo.cpp @@ -647,7 +647,9 @@ int CHudAmmo::MsgFunc_WeaponList( const char *pszName, int iSize, void *pbuf ) WEAPON Weapon; - strcpy( Weapon.szName, READ_STRING() ); + strncpy( Weapon.szName, READ_STRING(), sizeof(Weapon.szName) ); + Weapon.szName[sizeof(Weapon.szName) - 1] = '\0'; + Weapon.iAmmoType = (int)READ_CHAR(); Weapon.iMax1 = READ_BYTE(); @@ -665,6 +667,21 @@ int CHudAmmo::MsgFunc_WeaponList( const char *pszName, int iSize, void *pbuf ) Weapon.iFlags = READ_BYTE(); Weapon.iClip = 0; + if( Weapon.iId < 0 || Weapon.iId >= MAX_WEAPONS ) + return 0; + if( Weapon.iSlot < 0 || Weapon.iSlot >= MAX_WEAPON_SLOTS + 1 ) + return 0; + if( Weapon.iSlotPos < 0 || Weapon.iSlotPos >= MAX_WEAPON_POSITIONS + 1 ) + return 0; + if( Weapon.iAmmoType < -1 || Weapon.iAmmoType >= MAX_AMMO_TYPES ) + return 0; + if( Weapon.iAmmo2Type < -1 || Weapon.iAmmo2Type >= MAX_AMMO_TYPES ) + return 0; + if( Weapon.iAmmoType >= 0 && Weapon.iMax1 == 0 ) + return 0; + if( Weapon.iAmmo2Type >= 0 && Weapon.iMax2 == 0 ) + return 0; + gWR.AddWeapon( &Weapon ); return 1; diff --git a/cl_dll/hud_spectator.cpp b/cl_dll/hud_spectator.cpp index 278ab8be..180c4f27 100644 --- a/cl_dll/hud_spectator.cpp +++ b/cl_dll/hud_spectator.cpp @@ -218,7 +218,9 @@ void UTIL_StringToVector( float * pVector, const char *pString ) char *pstr, *pfront, tempString[128]; int j; - strcpy( tempString, pString ); + strncpy( tempString, pString, sizeof( tempString ) ); + tempString[sizeof( tempString ) - 1] = '\0'; + pstr = pfront = tempString; for( j = 0; j < 3; j++ )