From 5bb2ba1e9e42d39c859c833566974be55f18bd8f Mon Sep 17 00:00:00 2001 From: David Cernat Date: Sat, 23 Jun 2018 02:33:34 +0300 Subject: [PATCH] [General] Limit maximum imageData size in WorldMap packets --- apps/openmw-mp/Script/Functions/Worldstate.cpp | 11 ++++++++++- components/openmw-mp/Base/BaseWorldstate.hpp | 2 ++ .../Packets/Worldstate/PacketWorldMap.cpp | 17 +++++++++++++---- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/apps/openmw-mp/Script/Functions/Worldstate.cpp b/apps/openmw-mp/Script/Functions/Worldstate.cpp index 51bcb75b9..825dff1f2 100644 --- a/apps/openmw-mp/Script/Functions/Worldstate.cpp +++ b/apps/openmw-mp/Script/Functions/Worldstate.cpp @@ -59,7 +59,16 @@ void WorldstateFunctions::LoadMapTileImageFile(int cellX, int cellY, const char* std::ifstream inputFile(filePath, std::ios::binary); mapTile.imageData = std::vector(std::istreambuf_iterator(inputFile), std::istreambuf_iterator()); - writeWorldstate.mapChanges.mapTiles.push_back(mapTile); + if (mapTile.imageData.size() > mwmp::maxImageDataSize) + { + LOG_MESSAGE_SIMPLE(Log::LOG_ERROR, "Error loading image file for map tile: " + "%s has a size of %i, which is over the maximum allowed of %i!", + filePath, mapTile.imageData.size(), mwmp::maxImageDataSize); + } + else + { + writeWorldstate.mapChanges.mapTiles.push_back(mapTile); + } } void WorldstateFunctions::SetHour(double hour) noexcept diff --git a/components/openmw-mp/Base/BaseWorldstate.hpp b/components/openmw-mp/Base/BaseWorldstate.hpp index b4d56d867..0d2d3adcb 100644 --- a/components/openmw-mp/Base/BaseWorldstate.hpp +++ b/components/openmw-mp/Base/BaseWorldstate.hpp @@ -9,6 +9,8 @@ namespace mwmp { + static const int maxImageDataSize = 1400; + struct MapTile { int x; diff --git a/components/openmw-mp/Packets/Worldstate/PacketWorldMap.cpp b/components/openmw-mp/Packets/Worldstate/PacketWorldMap.cpp index 36b5c4303..43b72bb64 100644 --- a/components/openmw-mp/Packets/Worldstate/PacketWorldMap.cpp +++ b/components/openmw-mp/Packets/Worldstate/PacketWorldMap.cpp @@ -1,4 +1,5 @@ #include +#include #include "PacketWorldMap.hpp" using namespace std; @@ -31,17 +32,25 @@ void PacketWorldMap::Packet(RakNet::BitStream *bs, bool send) RW(mapTile.x, send); RW(mapTile.y, send); - uint32_t imageDataCount; + uint32_t imageDataSize; if (send) - imageDataCount = static_cast(mapTile.imageData.size()); + imageDataSize = static_cast(mapTile.imageData.size()); - RW(imageDataCount, send); + RW(imageDataSize, send); + + if (imageDataSize > mwmp::maxImageDataSize) + { + LOG_MESSAGE_SIMPLE(Log::LOG_ERROR, "Processed invalid ID_WORLD_MAP packet where tile %i, %i had an imageDataSize of %i", + mapTile.x, mapTile.y, imageDataSize); + LOG_APPEND(Log::LOG_ERROR, "- The packet was ignored after that point"); + return; + } if (!send) { mapTile.imageData.clear(); - mapTile.imageData.resize(imageDataCount); + mapTile.imageData.resize(imageDataSize); } for (auto &&imageChar : mapTile.imageData)