From 83f0961cfbae6eb1445e4c6b76de23074e5a3ae6 Mon Sep 17 00:00:00 2001 From: sbx320 Date: Thu, 20 Sep 2018 09:19:26 +0200 Subject: [PATCH] Validate string size read from bitstreams in CLuaArgument parsing Validate max element data name length --- Server/mods/deathmatch/logic/lua/CLuaArgument.cpp | 9 +++++++-- .../mods/deathmatch/logic/packets/CCustomDataPacket.cpp | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/Server/mods/deathmatch/logic/lua/CLuaArgument.cpp b/Server/mods/deathmatch/logic/lua/CLuaArgument.cpp index 5816a97dfcc9..46609ad6cc0b 100644 --- a/Server/mods/deathmatch/logic/lua/CLuaArgument.cpp +++ b/Server/mods/deathmatch/logic/lua/CLuaArgument.cpp @@ -543,8 +543,10 @@ bool CLuaArgument::ReadFromBitStream(NetBitStreamInterface& bitStream, std::vect { // Read out the string length unsigned short usLength; - if (bitStream.ReadCompressed(usLength) && usLength) + if (bitStream.ReadCompressed(usLength) && usLength > 0) { + if (!bitStream.CanReadNumberOfBytes(usLength)) + return false; // Allocate a buffer and read the string into it char* szValue = new char[usLength + 1]; if (bitStream.Read(szValue, usLength)) @@ -567,8 +569,11 @@ bool CLuaArgument::ReadFromBitStream(NetBitStreamInterface& bitStream, std::vect { // Read out the string length uint uiLength; - if (bitStream.ReadCompressed(uiLength) && uiLength) + if (bitStream.ReadCompressed(uiLength) && uiLength > 0) { + if(!bitStream.CanReadNumberOfBytes(uiLength)) + return false; + bitStream.AlignReadToByteBoundary(); // Allocate a buffer and read the string into it diff --git a/Server/mods/deathmatch/logic/packets/CCustomDataPacket.cpp b/Server/mods/deathmatch/logic/packets/CCustomDataPacket.cpp index 6615bd6525b0..42e55ba17222 100644 --- a/Server/mods/deathmatch/logic/packets/CCustomDataPacket.cpp +++ b/Server/mods/deathmatch/logic/packets/CCustomDataPacket.cpp @@ -25,7 +25,7 @@ CCustomDataPacket::~CCustomDataPacket(void) bool CCustomDataPacket::Read(NetBitStreamInterface& BitStream) { unsigned short usNameLength; - if (BitStream.Read(m_ElementID) && BitStream.ReadCompressed(usNameLength) && usNameLength > 0) + if (BitStream.Read(m_ElementID) && BitStream.ReadCompressed(usNameLength) && usNameLength > 0 && usNameLength <= MAX_CUSTOMDATA_NAME_LENGTH) { m_szName = new char[usNameLength + 1]; if (BitStream.Read(m_szName, usNameLength))