From a35eae3dd1d140cb42eafc330b94c1c8f117e631 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 16 Apr 2021 21:03:58 +0200 Subject: [PATCH] Fix a read head-buffer-overflow in esm The check forgot to account for the terminal zero. --- components/esm/loadscpt.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/esm/loadscpt.cpp b/components/esm/loadscpt.cpp index 53b6aedd3..04738b64e 100644 --- a/components/esm/loadscpt.cpp +++ b/components/esm/loadscpt.cpp @@ -41,7 +41,7 @@ namespace ESM // Support '\r' terminated strings like vanilla. See Bug #1324. std::replace(tmp.begin(), tmp.end(), '\r', '\0'); // Avoid heap corruption - if (!tmp.empty() && tmp[tmp.size()-1] != '\0') + if (tmp.back() != '\0') { tmp.emplace_back('\0'); std::stringstream ss; @@ -54,11 +54,12 @@ namespace ESM str = tmp.data(); } + const auto tmpEnd = tmp.data() + tmp.size(); for (size_t i = 0; i < mVarNames.size(); i++) { mVarNames[i] = std::string(str); str += mVarNames[i].size() + 1; - if (static_cast(str - tmp.data()) > tmp.size()) + if (str >= tmpEnd) { // SCVR subrecord is unused and variable names are determined // from the script source, so an overflow is not fatal.