You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This copies the incoming text into a buffer. The maximum number of characters is calculated as the greater of the buffer size and the size of the incoming text. This means a sufficiently large piece of text would overflow the buffer.
In practice this will never happen because the maximum size that a user message can be is smaller than the buffer size (192 bytes vs 256), but if that size were ever increased it could become an issue.
The Hud's saytext message handling can cause a buffer overflow here:
halflife/cl_dll/saytext.cpp
Line 220 in c7240b9
This copies the incoming text into a buffer. The maximum number of characters is calculated as the greater of the buffer size and the size of the incoming text. This means a sufficiently large piece of text would overflow the buffer.
In practice this will never happen because the maximum size that a user message can be is smaller than the buffer size (192 bytes vs 256), but if that size were ever increased it could become an issue.
To fix this, the code needs to be changed to:
strncpy( g_szLineBuffer[i], pszBuf, min(iBufSize , MAX_CHARS_PER_LINE) );Though it's probably fine to remove the use of
minaltogether and just passingMAX_CHARS_PER_LINEinstead along with null terminating the buffer.The text was updated successfully, but these errors were encountered: