From 3ad427c68dfa1bea18d9af14badb836e60641423 Mon Sep 17 00:00:00 2001 From: Zack Middleton Date: Mon, 9 Apr 2018 01:56:07 -0500 Subject: [PATCH] Fix q3history buffer not cleared between mods and OOB-access Loading a 1024-byte q3history file will fill the whole consoleSaveBuffer leaving no space for a string terminator. Com_Parse will read at least one byte beyond the end of consoleSaveBuffer. The written console history file can only be 1023 bytes (enforced by Q_strcat) so don't allow loading size of 1024. If switching to a mod with a shorter q3history file, the data in consoleSaveBuffer that isn't overwritten will be parsed. So always add a string terminator. String not terminated reported by David "devnexen" CARLIER. --- code/client/cl_keys.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code/client/cl_keys.c b/code/client/cl_keys.c index 2fb2c1ca..b2bc9559 100644 --- a/code/client/cl_keys.c +++ b/code/client/cl_keys.c @@ -1478,9 +1478,10 @@ void CL_LoadConsoleHistory( void ) return; } - if( consoleSaveBufferSize <= MAX_CONSOLE_SAVE_BUFFER && + if( consoleSaveBufferSize < MAX_CONSOLE_SAVE_BUFFER && FS_Read( consoleSaveBuffer, consoleSaveBufferSize, f ) == consoleSaveBufferSize ) { + consoleSaveBuffer[consoleSaveBufferSize] = '\0'; text_p = consoleSaveBuffer; for( i = COMMAND_HISTORY - 1; i >= 0; i-- )