View Single Post
Old 05-07-2006, 03:18 AM   #82
ensiform
The Stig
 
ensiform's Avatar
 
Join Date: Nov 2004
Location: Sawtooth Cauldron
Posts: 1,241
Current Game: Borderlands 2
yay more fixes! :

1. Voice Commands show up in the notify box as well as chat box when console is not up?

Easy Client Fix:
(this also escapes the rest of line to white after name)

cg_event.c

look for this line:

Code:
char vchatstr[1024];
change the 3 lines below it to look like this:
Code:
strcpy(vchatstr, va("<%s^7: %s>", ci->name, descr));
CG_Printf( "*%s\n", vchatstr );
CG_ChatBox_AddString(vchatstr);
2. CTF Messages dont escape to white after player names:

cg_event.c

CG_PrintCTFMessage

Code:
Com_sprintf(printMsg, sizeof(printMsg), "%s ", ci->name);
should be:

Code:
Com_sprintf(printMsg, sizeof(printMsg), "%s^7 ", ci->name);
and

Code:
Com_sprintf(printMsg, sizeof(printMsg), "%s %s", ci->name, psStringEDString);
should be:

Code:
Com_sprintf(printMsg, sizeof(printMsg), "%s^7 %s", ci->name, psStringEDString);
3. New security bug out for quake 3 engine, thought it wasnt fixable without engine?

add this somewhere in bg_misc.c:

Code:
/*
============
COM_StripExtensionSafe
============
*/
void COM_StripExtensionSafe( const char *in, char *out, int destsize ) {
	int             length;

	Q_strncpyz(out, in, destsize);

	length = strlen(out)-1;
	while (length > 0 && out[length] != '.')
	{
		length--;
		if (out[length] == '/')
			return;		// no extension
	}
	if (length)
		out[length] = 0;
}
and declare it somewhere in bg_public.h:

Code:
void COM_StripExtensionSafe( const char *in, char *out, int destsize );
now replace all instances of COM_StripExtension in your source with

COM_StripExtensionSafe and the destsize should be sizeof(change me to the char of out)

ie:

Code:
COM_StripExtensionSafe(fileptr, configname, sizeof(configname));
even more...

cg_servercmds.c:

look for "remapShader" command in the function CG_ServerCommand and replace that whole if statement for remapShader to:

Code:
	if ( Q_stricmp (cmd, "remapShader") == 0 )
	{
		if (trap_Argc() == 4)
		{
			char shader1[MAX_QPATH];
			char shader2[MAX_QPATH];
			char shader3[MAX_QPATH];

			Q_strncpyz(shader1, CG_Argv(1), sizeof(shader1));
			Q_strncpyz(shader2, CG_Argv(2), sizeof(shader2));
			Q_strncpyz(shader3, CG_Argv(3), sizeof(shader3));

			trap_R_RemapShader(shader1, shader2, shader3);
		}
		
		return;
	}
last file in cgame for this bugfix, cg_syscalls.c:

comment out or delete the trap_R_RemapShader function and replace it with this:

Code:
void	trap_R_RemapShader( const char *oldShader, const char *newShader, const char *timeOffset ) {
	char oldShaderTMP[MAX_QPATH];
	char newShaderTMP[MAX_QPATH];
	Q_strncpyz(oldShaderTMP, oldShader, sizeof(oldShaderTMP));
	Q_strncpyz(newShaderTMP, newShader, sizeof(newShaderTMP));
	COM_StripExtensionSafe(oldShaderTMP, oldShaderTMP, sizeof(oldShaderTMP));
	COM_StripExtensionSafe(newShaderTMP, newShaderTMP, sizeof(newShaderTMP));
	syscall( CG_R_REMAP_SHADER, oldShaderTMP, newShaderTMP, timeOffset );
}
k now open up ui_syscalls.c:

do the same thing for ui_syscalls.c as cg_syscalls.c only the syscall itself is changed ( UI_R_REMAP_SHADER ):

Code:
void	trap_R_RemapShader( const char *oldShader, const char *newShader, const char *timeOffset ) {
	char oldShaderTMP[MAX_QPATH];
	char newShaderTMP[MAX_QPATH];
	Q_strncpyz(oldShaderTMP, oldShader, sizeof(oldShaderTMP));
	Q_strncpyz(newShaderTMP, newShader, sizeof(newShaderTMP));
	COM_StripExtensionSafe(oldShaderTMP, oldShaderTMP, sizeof(oldShaderTMP));
	COM_StripExtensionSafe(newShaderTMP, newShaderTMP, sizeof(newShaderTMP));
	syscall( UI_R_REMAP_SHADER, oldShaderTMP, newShaderTMP, timeOffset );
}
now ui_atoms.c:

look for this line:

Code:
if ( Q_stricmp (cmd, "postgame") == 0 ) {
above it add:

Code:
	if ( Q_stricmp (cmd, "remapShader") == 0 ) {
		if (trap_Argc() == 4) {
			char shader1[MAX_QPATH];
			char shader2[MAX_QPATH];
			char shader3[MAX_QPATH];
			
			Q_strncpyz(shader1, UI_Argv(1), sizeof(shader1));
			Q_strncpyz(shader2, UI_Argv(2), sizeof(shader2));
			Q_strncpyz(shader3, UI_Argv(3), sizeof(shader3));
			
			trap_R_RemapShader(shader1, shader2, shader3);
			return qtrue;
		}
	}
i think that is all for this bug.

Source of bug:

http://www.gamer.nl/doc/32206

Translated by Babelfish:

Quote:
Gamers which still old, on the Quake 3 Engine play based games have been warned. Are not only slow you desperately, also a serious leak in the engine as a result of which can computer offenders, crackers and other gajes take over your PC'tje, has been discovered.

The leak is caused by "boundary error" during the processing of the "remapShader" commando. This can lead to a buffer overflow, as a result of which the attacker can carry out in question random commandos and software on the vulnerable PC..

If this is all too technical for your, then you must remember simply to make no connection with "malicious servers". An attacker must to abuse the leak, as it happens, by means of its server a command to the PC. send.

Enemy Territory 2.60, return to Castle Wolfenstein 1.41 and Quake III and 1.32b is vulnerable, but also other versions its probable leak.
4. Limbs dont take team color if u have a custom rgb model

g_combat.c:

in function G_Dismember:

Code:
	limb->s.customRGBA[0] = ent->s.customRGBA[0];
	limb->s.customRGBA[1] = ent->s.customRGBA[1];
	limb->s.customRGBA[2] = ent->s.customRGBA[2];
	limb->s.customRGBA[3] = ent->s.customRGBA[3];
should be:

Code:
	if (g_gametype.integer >= GT_TEAM) {
		switch(ent->client->sess.sessionTeam)
		{
		case TEAM_RED:
			limb->s.customRGBA[0] = 255;
			limb->s.customRGBA[1] = 0;
			limb->s.customRGBA[2] = 0;
			break;
		case TEAM_BLUE:
			limb->s.customRGBA[0] = 0;
			limb->s.customRGBA[1] = 0;
			limb->s.customRGBA[2] = 255;
			break;
		default:
			limb->s.customRGBA[0] = ent->s.customRGBA[0];
			limb->s.customRGBA[1] = ent->s.customRGBA[1];
			limb->s.customRGBA[2] = ent->s.customRGBA[2];
			limb->s.customRGBA[3] = ent->s.customRGBA[3];
			break;
		}
	} else {
		limb->s.customRGBA[0] = ent->s.customRGBA[0];
		limb->s.customRGBA[1] = ent->s.customRGBA[1];
		limb->s.customRGBA[2] = ent->s.customRGBA[2];
		limb->s.customRGBA[3] = ent->s.customRGBA[3];
	}
5. weird tint for the meters and values when playing ffa or on blue team

cg_draw.c

look for this:

Code:
if (cgs.gametype >= GT_TEAM && cgs.gametype != GT_SIEGE)
	{	// tint the hud items based on team
		if (cg.snap->ps.persistant[PERS_TEAM] == TEAM_RED )
			hudTintColor = redhudtint;
		else if (cg.snap->ps.persistant[PERS_TEAM] == TEAM_BLUE )
			hudTintColor = bluehudtint;
		else // If we're not on a team for whatever reason, leave things as they are.
			hudTintColor = colorTable[CT_WHITE];
	}
	else
	{	// tint the hud items white (dont' tint)
		hudTintColor = colorTable[CT_WHITE];
	}
replace it with:

Code:
hudTintColor = redhudtint;	// always use red because blue and white screws it up
6. flag icons have a dark tint when you are in scope because raven forgets to do trap_R_SetColor(NULL) after every change in color thats not needed anymore.

cg_draw.c again:

CG_DrawFlagStatus

above the !cg.snap line add:

Code:
trap_R_SetColor( NULL );
also CG_DrawPowerupIcons

add

Code:
trap_R_SetColor( NULL );
same spot as flagstatus


iojamp project lead / coder

Last edited by ensiform; 06-09-2006 at 12:28 AM.
ensiform is offline   you may: quote & reply,