Fix format overflow issues (#52)

Replace a few sprintf calls with snprintf to prevent buffer overflow. Added error messages to the logs where buffer size prevents a room, object, mobile, or quest from being saved to disk.
2025-09-21 21:40:49 +02:00 · 2018-07-15 10:52:28 -05:00 · 2018-07-15 10:52:28 -05:00 · ad88f94a46
commit ad88f94a46
parent bf941bc9b2
6 changed files with 70 additions and 46 deletions
--- a/src/genmob.c
+++ b/src/genmob.c
@ -368,7 +368,7 @@ int write_mobile_record(mob_vnum mvnum, struct char_data *mob, FILE *fd)
  strip_cr(strncpy(ldesc, GET_LDESC(mob), MAX_STRING_LENGTH - 1));
  strip_cr(strncpy(ddesc, GET_DDESC(mob), MAX_STRING_LENGTH - 1));

-  sprintf(buf,	"#%d\n"
+  int n = snprintf(buf, MAX_STRING_LENGTH, "#%d\n"
 		"%s%c\n"
 		"%s%c\n"
 		"%s%c\n"
@ -380,7 +380,7 @@ int write_mobile_record(mob_vnum mvnum, struct char_data *mob, FILE *fd)
 	ddesc, STRING_TERMINATOR
  );

-  
+  if(n > MAX_STRING_LENGTH) {
    fprintf(fd, "%s", convert_from_tabs(buf));
  
    fprintf(fd, "%d %d %d %d %d %d %d %d %d E\n"
@ -406,10 +406,15 @@ int write_mobile_record(mob_vnum mvnum, struct char_data *mob, FILE *fd)
    script_save_to_disk(fd, mob, MOB_TRIGGER);
  
  
-#if CONFIG_GENOLC_MOBPROG
+  #if CONFIG_GENOLC_MOBPROG
    if (write_mobile_mobprog(mvnum, mob, fd) < 0)
      log("SYSERR: GenOLC: Error writing MobProgs for mobile #%d.", mvnum);
-#endif
+  #endif
+  } else {
+    mudlog(BRF,LVL_BUILDER,TRUE,
+           "SYSERR: Could not save mobile #%d due to size (%d > maximum of %d)",
+           mvnum, n, MAX_STRING_LENGTH);
+  }
  
  return TRUE;
 }
--- a/src/genobj.c
+++ b/src/genobj.c
@ -210,7 +210,7 @@ int save_objects(zone_rnum zone_num)
      } else
        *buf = '\0';

-      sprintf(buf2,
+      int n = snprintf(buf2, MAX_STRING_LENGTH,
 	      "#%d\n"
 	      "%s~\n"
 	      "%s~\n"
@ -223,6 +223,13 @@ int save_objects(zone_rnum zone_num)
 	      (obj->description && *obj->description) ?	obj->description : "undefined",
 	      buf);
        
+      if(n >= MAX_STRING_LENGTH) {
+        mudlog(BRF,LVL_BUILDER,TRUE,
+               "SYSERR: Could not save object #%d due to size (%d > maximum of %d).",
+               GET_OBJ_VNUM(obj), n, MAX_STRING_LENGTH);
+        continue;
+      }
+      
      fprintf(fp, "%s", convert_from_tabs(buf2));

      sprintascii(ebuf1, GET_OBJ_EXTRA(obj)[0]);
--- a/src/genolc.c
+++ b/src/genolc.c
@ -366,13 +366,13 @@ ACMD(do_export_zone)
  f = fix_filename(zone_name); 

  /* Remove the old copy. */ 
-  sprintf(sysbuf, "rm %s%s.tar.gz", path, f); 
+  snprintf(sysbuf, MAX_STRING_LENGTH, "rm %s%s.tar.gz", path, f); 

  /* Tar the new copy. */ 
-   sprintf(sysbuf, "tar -cf %s%s.tar %sqq.info %sqq.wld %sqq.zon %sqq.mob %sqq.obj %sqq.trg %sqq.shp", path, f, path, path, path, path, path, path, path);
+  snprintf(sysbuf, MAX_STRING_LENGTH, "tar -cf %s%s.tar %sqq.info %sqq.wld %sqq.zon %sqq.mob %sqq.obj %sqq.trg %sqq.shp", path, f, path, path, path, path, path, path, path);

  /* Gzip it. */ 
-  sprintf(sysbuf, "gzip %s%s.tar", path, f); 
+  snprintf(sysbuf, MAX_STRING_LENGTH, "gzip %s%s.tar", path, f); 

  send_to_char(ch, "Files tar'ed to \"%s%s.tar.gz\"\r\n", path, f); 
 }
--- a/src/genqst.c
+++ b/src/genqst.c
@ -220,7 +220,7 @@ int save_quests(zone_rnum zone_num)
      strip_cr(quest_quit);
      /* Save the quest details to the file.  */
      sprintascii(quest_flags, QST_FLAGS(rnum));
-      sprintf(buf,
+      int n = snprintf(buf, MAX_STRING_LENGTH,
        "#%d\n"
        "%s%c\n"
        "%s%c\n"
@ -250,9 +250,14 @@ int save_quests(zone_rnum zone_num)
        QST_QUANTITY(rnum), QST_GOLD(rnum), QST_EXP(rnum), QST_OBJ(rnum)
      );
      
+      if(n < MAX_STRING_LENGTH) {
        fprintf(sf, "%s", convert_from_tabs(buf));
-      
        num_quests++;
+      } else {
+        mudlog(BRF,LVL_BUILDER,TRUE, 
+               "SYSERR: Could not save quest #%d due to size (%d > maximum of %d).", 
+               QST_NUM(rnum), n, MAX_STRING_LENGTH);
+      }
    }
  }
  /* Write the final line and close it.  */
--- a/src/genwld.c
+++ b/src/genwld.c
@ -302,7 +302,7 @@ int save_rooms(zone_rnum rzone)
      strip_cr(buf);

      /* Save the numeric and string section of the file. */
-      sprintf(buf2, 	"#%d\n"
+      int n = snprintf(buf2, MAX_STRING_LENGTH, "#%d\n"
 			"%s%c\n"
 			"%s%c\n"
 			"%d %d %d %d %d %d\n",
@ -313,6 +313,13 @@ int save_rooms(zone_rnum rzone)
 	  room->room_flags[3], room->sector_type 
      );
      
+      if(n >= MAX_STRING_LENGTH) {
+        mudlog(BRF,LVL_BUILDER,TRUE,
+               "SYSERR: Could not save room #%d due to size (%d > maximum of %d).",
+               room->number, n, MAX_STRING_LENGTH);
+        continue;
+      }
+
  fprintf(sf, "%s", convert_from_tabs(buf2));
 
      /* Now you write out the exits for the room. */
--- a/src/objsave.c
+++ b/src/objsave.c
@ -1196,7 +1196,7 @@ static int Crash_load_objs(struct char_data *ch) {

  if (!(fl = fopen(filename, "r"))) {
    if (errno != ENOENT) { /* if it fails, NOT because of no file */
-      sprintf(buf, "SYSERR: READING OBJECT FILE %s (5)", filename);
+      snprintf(buf, MAX_STRING_LENGTH, "SYSERR: READING OBJECT FILE %s (5)", filename);
      perror(buf);
      send_to_char(ch, "\r\n********************* NOTICE *********************\r\n"
                       "There was a problem loading your objects from disk.\r\n"