Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Buffer overflow in cmd.c #9

Open
prodigysml opened this issue Mar 4, 2018 · 1 comment

Comments

@prodigysml
Copy link

commented Mar 4, 2018

A buffer overflow scenario can be created within cmd.c. The cmd_args variable within the char *Cmd_Args function is vulnerable to this attack.

The cmd_args variable assigns all the arguments within argv to a single variable, space delimited.
https://github.com/ec-/Quake3e/blob/4660de638d63021f4b940c3ae53c3b64fbaadb1e/code/qcommon/cmd.c#L421

This variable has allotted 1024 bytes for characters as displayed below:
https://github.com/ec-/Quake3e/blob/41aef4a3aacbefa17d4ac4eb01055106a04d1582/code/qcommon/q_shared.h#L221

If we provide arguments with length > 2000, this variable should overflow and cause a crash.

@ec-

This comment has been minimized.

Copy link
Owner

commented Mar 4, 2018

@prodigysml thank you for report, it helped to discover other related flaws

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.