From 2b1808315f254f774699dd54a0c279946d12adc6 Mon Sep 17 00:00:00 2001 From: Daniel Svensson Date: Sun, 12 Jan 2025 12:07:25 +0100 Subject: [PATCH] CONSOLE: Fix buffer overflow. snprintf implementation may decide to write at the end of the specified buffer length for security reasons which will produce a crash even if the conditions happen to be within bounds. --- src/console.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/console.c b/src/console.c index 7fb107976..2cac99fa6 100644 --- a/src/console.c +++ b/src/console.c @@ -997,9 +997,9 @@ void Con_DrawConsole (int lines) { i = strlen (dlbar); if (cls.download) - snprintf (dlbar + i, sizeof (dlbar), " %02d%%(%dkb/s)", cls.downloadpercent, cls.downloadrate); + snprintf (dlbar + i, sizeof (dlbar) - i, " %02d%%(%dkb/s)", cls.downloadpercent, cls.downloadrate); else if (cls.upload) - snprintf (dlbar + i, sizeof (dlbar), " %02d%%(%dkb/s)", cls.uploadpercent, cls.uploadrate); + snprintf (dlbar + i, sizeof (dlbar) - i, " %02d%%(%dkb/s)", cls.uploadpercent, cls.uploadrate); else return;