From e83ecdfa3cb46d2141c69dbfa818db65983f5692 Mon Sep 17 00:00:00 2001 From: Dmitry Tsarevich Date: Thu, 27 Feb 2025 18:27:16 +0300 Subject: [PATCH] server: Ensure no buffer overflows when sscanf to char buffer Closes #878 --- src/game/server/tf/tf_passtime_logic.cpp | 5 ++++- src/game/server/tf/tf_player.cpp | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/game/server/tf/tf_passtime_logic.cpp b/src/game/server/tf/tf_passtime_logic.cpp index 098b8c2c1..c89b13622 100644 --- a/src/game/server/tf/tf_passtime_logic.cpp +++ b/src/game/server/tf/tf_passtime_logic.cpp @@ -1853,11 +1853,14 @@ bool CTFPasstimeLogic::ParseSetSection( const char *pStr, SetSectionParams &s ) { char pszStartName[64]; char pszEndName[64]; - const int iScanCount = sscanf( pStr, "%i %s %s", &s.num, pszStartName, pszEndName ); // WHAT YEAR IS IT + const int iScanCount = sscanf( pStr, "%i %63s %63s", &s.num, pszStartName, pszEndName ); // WHAT YEAR IS IT if ( iScanCount != 3 ) { return false; } + pszStartName[ ARRAYSIZE(pszStartName) - 1 ] = '\0'; + pszEndName[ ARRAYSIZE(pszEndName) - 1 ] = '\0'; + s.pSectionStart = dynamic_cast( gEntList.FindEntityByName( 0, pszStartName ) ); s.pSectionEnd = dynamic_cast( gEntList.FindEntityByName( 0, pszEndName ) ); diff --git a/src/game/server/tf/tf_player.cpp b/src/game/server/tf/tf_player.cpp index c3f0a8dde..a51c8bdcd 100644 --- a/src/game/server/tf/tf_player.cpp +++ b/src/game/server/tf/tf_player.cpp @@ -5950,8 +5950,9 @@ void CTFPlayer::HandleAnimEvent( animevent_t *pEvent ) char szAttrName[128]; float flVal; float flDuration; - if ( sscanf( pEvent->options, "%s %f %f", szAttrName, &flVal, &flDuration ) == 3 ) + if ( sscanf( pEvent->options, "%127s %f %f", szAttrName, &flVal, &flDuration ) == 3 ) { + szAttrName[ ARRAYSIZE(szAttrName) - 1 ] = '\0'; Assert( flDuration > 0.f ); AddCustomAttribute( szAttrName, flVal, flDuration ); }