Re: [CODE] Say command crashes goodies tarball?

From: Mark Garringer (zizazat@hotmail.com)
Date: 01/25/03

Next message: Adam Scriven: "Re: [CODE] Say command crashes goodies tarball?"
Previous message: Steve Postema: "Re: newbie multi attacks - ascii pfiles.."
Maybe in reply to: Adam Scriven: "[CODE] Say command crashes goodies tarball?"
Next in thread: Adam Scriven: "Re: [CODE] Say command crashes goodies tarball?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>as IS_NPC(ch) would've caused the crash otherwise.  Since 'ch' is never
>directly modified after this point, this implies a buffer overflow,
>possibly within garble_text().

void garble_text(char *string, int percent, int lang)
{
  char letters[12] = "";
  /* Always up letters[12] to the largest size for letters you wish to
* use below. */
  int i, s;

  switch (lang) {
  case SKILL_LANG_DWARVEN:
    strcpy (letters, "hprstwxyz");
    s = 8;
    break;
  case SKILL_LANG_ELVEN:
    strcpy (letters, "aefhilnopstu");
    s = 11;
    break;
  default:
    strcpy (letters, "aehiopstuwxyz");
    s = 12;
    break;
  }

  for (i = 0; i < strlen(string); ++i)
    if (isalpha(string[i]) && (rand_number(0, 100) > percent))
      string[i] = letters[rand_number(0, s)];
}

I'd gladly take any suggestions on this :) It seems like maybe garble_text
should be returning something though?

>Both of these sprintf() calls are likely to overflow.  Note that obuf >is a
>char array of MAX_INPUT_LENGTH length.  This is the same size as >buf,
>which will always contain more text than obuf; hence, any time >that obuf
>is close to MAX_INPUT_LENGTH characters long, buf will >overflow.

I went back and looked at the stock do_say and see that buf there is
MAX_INPUT_LENGTH + 12, and it uses snprintf rather than sprintf. So I
changed the sprintf to snprintfs and upped my buf size to MAX_INPUT_LENGTH +
MAX_INPUT_LENGTH. This may be a bit much, but so far everything seems to
still work wonderfully for me. Now I'll just have to have Adam test on his
machine and see if he's stopped crashing.

--Ziz

_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail

--
   +---------------------------------------------------------------+
   | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
   | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html |
   | Newbie List:  http://groups.yahoo.com/group/circle-newbies/   |
   +---------------------------------------------------------------+

Next message: Adam Scriven: "Re: [CODE] Say command crashes goodies tarball?"
Previous message: Steve Postema: "Re: newbie multi attacks - ascii pfiles.."
Maybe in reply to: Adam Scriven: "[CODE] Say command crashes goodies tarball?"
Next in thread: Adam Scriven: "Re: [CODE] Say command crashes goodies tarball?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : 06/26/03 PDT