mirror/openmw
1
0
Fork 0
mirror of https://github.com/OpenMW/openmw.git synced 2025-04-08 22:06:43 +00:00
Code Issues Releases Wiki Activity

Merge branch 'fix_esm' into 'master'

Browse source 
Fix a read head-buffer-overflow in esm

See merge request OpenMW/openmw!751
This commit is contained in:
Alexei Dobrohotov 2021-04-25 21:56:52 +00:00
commit add04a4ea0
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
components/esm/loadscpt.cpp
View file

@ -41,7 +41,7 @@ namespace ESM
// Support '\r' terminated strings like vanilla. See Bug #1324. // Support '\r' terminated strings like vanilla. See Bug #1324.
std::replace(tmp.begin(), tmp.end(), '\r', '\0'); std::replace(tmp.begin(), tmp.end(), '\r', '\0');
// Avoid heap corruption // Avoid heap corruption
if (!tmp.empty() && tmp[tmp.size()-1] != '\0') if (tmp.back() != '\0')
{ {
tmp.emplace_back('\0'); tmp.emplace_back('\0');
std::stringstream ss; std::stringstream ss;
@ -54,11 +54,12 @@ namespace ESM
str = tmp.data(); str = tmp.data();
} }
const auto tmpEnd = tmp.data() + tmp.size();
for (size_t i = 0; i < mVarNames.size(); i++) for (size_t i = 0; i < mVarNames.size(); i++)
{ {
mVarNames[i] = std::string(str); mVarNames[i] = std::string(str);
str += mVarNames[i].size() + 1; str += mVarNames[i].size() + 1;
if (static_cast<size_t>(str - tmp.data()) > tmp.size()) if (str >= tmpEnd)
{ {
// SCVR subrecord is unused and variable names are determined // SCVR subrecord is unused and variable names are determined
// from the script source, so an overflow is not fatal. // from the script source, so an overflow is not fatal.