Fix buffer overflow exploit

samisalreadytaken · samisalreadytaken · commit 74d219add46b · 2021-10-23T18:45:15.000+03:00
diff --git a/sp/src/game/client/hud_closecaption.cpp b/sp/src/game/client/hud_closecaption.cpp
@@ -1302,7 +1302,7 @@ void CHudCloseCaption::Reset( void )
 	Unlock();
 }
 
-bool CHudCloseCaption::SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t *args ) const
+bool CHudCloseCaption::SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t *args, int size ) const
 {
 	const wchar_t *in = *ppIn;
 	const wchar_t *oldin = in;
@@ -1317,8 +1317,11 @@ bool CHudCloseCaption::SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t
 	cmd[ 0 ]= 0;
 	wchar_t *out = cmd;
 	in++;
-	while ( *in != L'\0' && *in != L':' && *in != L'>' && !isspace( *in ) )
+	while ( *in != L'\0' && *in != L':' && *in != L'>' && !V_isspace( *in ) )
 	{
+		if ( (int)( out - cmd ) + (int)sizeof( wchar_t ) >= size )
+			break;
+
 		*out++ = *in++;
 	}
 	*out = L'\0';
@@ -1333,6 +1336,9 @@ bool CHudCloseCaption::SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t
 	out = args;
 	while ( *in != L'\0' && *in != L'>' )
 	{
+		if ( (int)( out - args ) + (int)sizeof( wchar_t ) >= size )
+			break;
+
 		*out++ = *in++;
 	}
 	*out = L'\0';
@@ -1360,7 +1366,7 @@ bool CHudCloseCaption::GetFloatCommandValue( const wchar_t *stream, const wchar_
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, findcmd ) )
 			{
@@ -1384,7 +1390,7 @@ bool CHudCloseCaption::StreamHasCommand( const wchar_t *stream, const wchar_t *f
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, findcmd ) )
 			{
@@ -1423,7 +1429,7 @@ bool CHudCloseCaption::StreamHasCommand( const wchar_t *stream, const wchar_t *s
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, search ) )
 			{
@@ -1515,7 +1521,7 @@ void CHudCloseCaption::Process( const wchar_t *stream, float duration, const cha
 
 		const wchar_t *prevpos = curpos;
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, L"delay" ) )
 			{
@@ -1722,7 +1728,7 @@ void CHudCloseCaption::ComputeStreamWork( int available_width, CCloseCaptionItem
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, L"cr" ) )
 			{
@@ -1976,7 +1982,7 @@ bool CHudCloseCaption::GetNoRepeatValue( const wchar_t *caption, float &retval )
 		wchar_t cmd[ 256 ];
 		wchar_t args[ 256 ];
 
-		if ( SplitCommand( &curpos, cmd, args ) )
+		if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )
 		{
 			if ( !wcscmp( cmd, L"norepeat" ) )
 			{
diff --git a/sp/src/game/client/hud_closecaption.h b/sp/src/game/client/hud_closecaption.h
@@ -179,7 +179,7 @@ class CHudCloseCaption : public CHudElement, public vgui::Panel
 
 	void	DrawStream( wrect_t& rect, wrect_t &rcWindow, CCloseCaptionItem *item, int iFadeLine, float flFadeLineAlpha ); 
 	void	ComputeStreamWork( int available_width, CCloseCaptionItem *item );
-	bool	SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t *args ) const;
+	bool	SplitCommand( wchar_t const **ppIn, wchar_t *cmd, wchar_t *args, int size ) const;
 
 	bool	StreamHasCommand( const wchar_t *stream, const wchar_t *findcmd ) const;
 	bool	GetFloatCommandValue( const wchar_t *stream, const wchar_t *findcmd, float& value ) const;

Original file line number	Diff line number	Diff line change
`@@ -1302,7 +1302,7 @@ void CHudCloseCaption::Reset( void )`
`1302`	`1302`	`Unlock();`
`1303`	`1303`	`}`
`1304`	`1304`
`1305`		`-bool CHudCloseCaption::SplitCommand( wchar_t const *ppIn, wchar_t cmd, wchar_t *args ) const`
	`1305`	`+bool CHudCloseCaption::SplitCommand( wchar_t const *ppIn, wchar_t cmd, wchar_t *args, int size ) const`
`1306`	`1306`	`{`
`1307`	`1307`	`const wchar_t in = ppIn;`
`1308`	`1308`	`const wchar_t *oldin = in;`
`@@ -1317,8 +1317,11 @@ bool CHudCloseCaption::SplitCommand( wchar_t const *ppIn, wchar_t cmd, wchar_t`
`1317`	`1317`	`cmd[ 0 ]= 0;`
`1318`	`1318`	`wchar_t *out = cmd;`
`1319`	`1319`	`in++;`
`1320`		`- while ( in != L'\0' && in != L':' && in != L'>' && !isspace( in ) )`
	`1320`	`+ while ( in != L'\0' && in != L':' && in != L'>' && !V_isspace( in ) )`
`1321`	`1321`	`{`
	`1322`	`+ if ( (int)( out - cmd ) + (int)sizeof( wchar_t ) >= size )`
	`1323`	`+ break;`
	`1324`	`+`
`1322`	`1325`	`out++ = in++;`
`1323`	`1326`	`}`
`1324`	`1327`	`*out = L'\0';`
`@@ -1333,6 +1336,9 @@ bool CHudCloseCaption::SplitCommand( wchar_t const *ppIn, wchar_t cmd, wchar_t`
`1333`	`1336`	`out = args;`
`1334`	`1337`	`while ( in != L'\0' && in != L'>' )`
`1335`	`1338`	`{`
	`1339`	`+ if ( (int)( out - args ) + (int)sizeof( wchar_t ) >= size )`
	`1340`	`+ break;`
	`1341`	`+`
`1336`	`1342`	`out++ = in++;`
`1337`	`1343`	`}`
`1338`	`1344`	`*out = L'\0';`
`@@ -1360,7 +1366,7 @@ bool CHudCloseCaption::GetFloatCommandValue( const wchar_t *stream, const wchar_`
`1360`	`1366`	`wchar_t cmd[ 256 ];`
`1361`	`1367`	`wchar_t args[ 256 ];`
`1362`	`1368`
`1363`		`- if ( SplitCommand( &curpos, cmd, args ) )`
	`1369`	`+ if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )`
`1364`	`1370`	`{`
`1365`	`1371`	`if ( !wcscmp( cmd, findcmd ) )`
`1366`	`1372`	`{`
`@@ -1384,7 +1390,7 @@ bool CHudCloseCaption::StreamHasCommand( const wchar_t stream, const wchar_t f`
`1384`	`1390`	`wchar_t cmd[ 256 ];`
`1385`	`1391`	`wchar_t args[ 256 ];`
`1386`	`1392`
`1387`		`- if ( SplitCommand( &curpos, cmd, args ) )`
	`1393`	`+ if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )`
`1388`	`1394`	`{`
`1389`	`1395`	`if ( !wcscmp( cmd, findcmd ) )`
`1390`	`1396`	`{`
`@@ -1423,7 +1429,7 @@ bool CHudCloseCaption::StreamHasCommand( const wchar_t stream, const wchar_t s`
`1423`	`1429`	`wchar_t cmd[ 256 ];`
`1424`	`1430`	`wchar_t args[ 256 ];`
`1425`	`1431`
`1426`		`- if ( SplitCommand( &curpos, cmd, args ) )`
	`1432`	`+ if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )`
`1427`	`1433`	`{`
`1428`	`1434`	`if ( !wcscmp( cmd, search ) )`
`1429`	`1435`	`{`
`@@ -1515,7 +1521,7 @@ void CHudCloseCaption::Process( const wchar_t *stream, float duration, const cha`
`1515`	`1521`
`1516`	`1522`	`const wchar_t *prevpos = curpos;`
`1517`	`1523`
`1518`		`- if ( SplitCommand( &curpos, cmd, args ) )`
	`1524`	`+ if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )`
`1519`	`1525`	`{`
`1520`	`1526`	`if ( !wcscmp( cmd, L"delay" ) )`
`1521`	`1527`	`{`
`@@ -1722,7 +1728,7 @@ void CHudCloseCaption::ComputeStreamWork( int available_width, CCloseCaptionItem`
`1722`	`1728`	`wchar_t cmd[ 256 ];`
`1723`	`1729`	`wchar_t args[ 256 ];`
`1724`	`1730`
`1725`		`- if ( SplitCommand( &curpos, cmd, args ) )`
	`1731`	`+ if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )`
`1726`	`1732`	`{`
`1727`	`1733`	`if ( !wcscmp( cmd, L"cr" ) )`
`1728`	`1734`	`{`
`@@ -1976,7 +1982,7 @@ bool CHudCloseCaption::GetNoRepeatValue( const wchar_t *caption, float &retval )`
`1976`	`1982`	`wchar_t cmd[ 256 ];`
`1977`	`1983`	`wchar_t args[ 256 ];`
`1978`	`1984`
`1979`		`- if ( SplitCommand( &curpos, cmd, args ) )`
	`1985`	`+ if ( SplitCommand( &curpos, cmd, args, sizeof( cmd ) ) )`
`1980`	`1986`	`{`
`1981`	`1987`	`if ( !wcscmp( cmd, L"norepeat" ) )`
`1982`	`1988`	`{`