Additional bounds checks on client-side.

FreeSlave · Sep 18, 2024 · c461624 · c461624
1 parent 13a83d1
commit c461624
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/cl_dll/ammo.cpp b/cl_dll/ammo.cpp
@@ -647,7 +647,9 @@ int CHudAmmo::MsgFunc_WeaponList( const char *pszName, int iSize, void *pbuf )
 
 	WEAPON Weapon;
 
-	strcpy( Weapon.szName, READ_STRING() );
+	strncpy( Weapon.szName, READ_STRING(), sizeof(Weapon.szName) );
+	Weapon.szName[sizeof(Weapon.szName) - 1] = '\0';
+
 	Weapon.iAmmoType = (int)READ_CHAR();	
 
 	Weapon.iMax1 = READ_BYTE();
@@ -665,6 +667,21 @@ int CHudAmmo::MsgFunc_WeaponList( const char *pszName, int iSize, void *pbuf )
 	Weapon.iFlags = READ_BYTE();
 	Weapon.iClip = 0;
 
+	if( Weapon.iId < 0 || Weapon.iId >= MAX_WEAPONS )
+		return 0;
+	if( Weapon.iSlot < 0 || Weapon.iSlot >= MAX_WEAPON_SLOTS + 1 )
+		return 0;
+	if( Weapon.iSlotPos < 0 || Weapon.iSlotPos >= MAX_WEAPON_POSITIONS + 1 )
+		return 0;
+	if( Weapon.iAmmoType < -1 || Weapon.iAmmoType >= MAX_AMMO_TYPES )
+		return 0;
+	if( Weapon.iAmmo2Type < -1 || Weapon.iAmmo2Type >= MAX_AMMO_TYPES )
+		return 0;
+	if( Weapon.iAmmoType >= 0 && Weapon.iMax1 == 0 )
+		return 0;
+	if( Weapon.iAmmo2Type >= 0 && Weapon.iMax2 == 0 )
+		return 0;
+
 	gWR.AddWeapon( &Weapon );
 
 	return 1;

diff --git a/cl_dll/hud_spectator.cpp b/cl_dll/hud_spectator.cpp
@@ -218,7 +218,9 @@ void UTIL_StringToVector( float * pVector, const char *pString )
 	char *pstr, *pfront, tempString[128];
 	int	j;
 
-	strcpy( tempString, pString );
+	strncpy( tempString, pString, sizeof( tempString ) );
+	tempString[sizeof( tempString ) - 1] = '\0';
+
 	pstr = pfront = tempString;
 
 	for( j = 0; j < 3; j++ )