[crossfire] Found & maybe fixed bug in saving/loading level
hp/sp/gp
Andreas Kirschbaum
kirschbaum at myrealbox.com
Sun Jul 10 09:02:15 CDT 2005
Scott Kullberg wrote:
[...]
>
What I *think* is happening, and I'm not really a C programmer, is
>
that the strncpy is copying 48 bytes (MAX_NAME) of
>
op->arch->clone.name text into the 32 bytes (BIG_NAME) allocated in
>
player.h for a player title . This then overwrites levhp and levsp,
>
the next elements of the 'pl' structure, with 16 bytes of nulls.
That is correct. Note that server/player.c did had the same buffer
overflow.
>
I was able to fix it by changing BIG_NAME, at include/define.h:100,
>
from 32 to 48.
I fixed and committed it into CVS by just adjusting the number of bytes
that strncpy would copy. I.e. I did not change the definition of
MAX_NAME and/or BIG_NAME.
More information about the crossfire
mailing list