Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remotely triggerable buffer overflow #2698

Closed
DorpsGek opened this issue Mar 4, 2009 · 1 comment
Closed

Remotely triggerable buffer overflow #2698

DorpsGek opened this issue Mar 4, 2009 · 1 comment
Labels
flyspray This issue is imported from FlySpray (https://bugs.openttd.org/)

Comments

@DorpsGek
Copy link
Member

DorpsGek commented Mar 4, 2009

Rubidium opened the ticket and wrote:

In void Packet::Recv_string(char *buffer, size_t size, bool allow_newlines) a string is cut off at buffer + size. If buffer + size - 1] is the begin of a 2 byte Unicode character that gets encoded into 4 bytes str_validate will later read over the null termination.

The same can (does) happen at many other places where str_validate is called. The solution would be to pass a lastof pointer or something equivalent to str_validate and make str_validate cut off the whole 'unfinished' encoded Unicode character.

Reported version: trunk
Operating system: All


This issue was imported from FlySpray: https://bugs.openttd.org/task/2698
@DorpsGek
Copy link
Member Author

DorpsGek commented Mar 6, 2009

Rubidium closed the ticket.

Reason for closing: Fixed

In r15626


This comment was imported from FlySpray: https://bugs.openttd.org/task/2698

@DorpsGek DorpsGek closed this as completed Mar 6, 2009
@DorpsGek DorpsGek added Core flyspray This issue is imported from FlySpray (https://bugs.openttd.org/) labels Apr 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
flyspray This issue is imported from FlySpray (https://bugs.openttd.org/)
Projects
None yet
Development

No branches or pull requests

1 participant