Fixed: Buffer overflow in XS_GetType

skyjake · May 31, 2008 · ef9fa17 · ef9fa17
1 parent 615e582
commit ef9fa17
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/doomsday/plugins/common/src/p_xgsec.c b/doomsday/plugins/common/src/p_xgsec.c
@@ -148,8 +148,8 @@ static sectortype_t sectypebuffer;
 
 sectortype_t *XS_GetType(int id)
 {
-    sectortype_t       *ptr;
-    char                buff[5];
+    sectortype_t*       ptr;
+    char                buff[6];
 
     // Try finding it from the DDXGDATA lump.
     ptr = XG_GetLumpSector(id);
@@ -159,7 +159,8 @@ sectortype_t *XS_GetType(int id)
         return &sectypebuffer;
     }
 
-    sprintf(buff, "%i", id);
+    snprintf(buff, 5, "%i", id);
+    buff[5] = '\0';
     if(Def_Get(DD_DEF_SECTOR_TYPE, buff, &sectypebuffer))
         return &sectypebuffer;  // A definition was found.