From 6a4e8916e666456f864a2c3e8d11095502f64b6d Mon Sep 17 00:00:00 2001 From: toaster Date: Wed, 1 May 2024 19:54:09 +0100 Subject: [PATCH] G_SaveDemo: Resolve memory errors that could result in crashes - Empty `demo.titlename` case - Don't try to save demo of name `.lmp` - Doesn't fall back to anything, because emptying out the name field can be reasonably treated as not wanting to save - `demo.titlename` consists only of invalid characters - Don't try to save demo of name `-.lmp` - Falls back to the default demo title, because the user clearly wanted to save and just happened to provide invalid text --- src/g_demo.c | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/src/g_demo.c b/src/g_demo.c index 2f6a05990..25269f07e 100644 --- a/src/g_demo.c +++ b/src/g_demo.c @@ -4412,7 +4412,7 @@ void G_SaveDemo(void) strindex++; dash = false; } - else if (!dash) + else if (strindex && !dash) { demo_slug[strindex] = '-'; strindex++; @@ -4420,12 +4420,34 @@ void G_SaveDemo(void) } } - demo_slug[strindex] = 0; - if (dash) demo_slug[strindex-1] = 0; + if (dash && strindex) + { + strindex--; + } + demo_slug[strindex] = '\0'; - writepoint = strstr(strrchr(demoname, *PATHSEP), "-") + 1; - demo_slug[128 - (writepoint - demoname) - 4] = 0; - sprintf(writepoint, "%s.lmp", demo_slug); + if (demo_slug[0] != '\0') + { + // Slug is valid, write the chosen filename. + writepoint = strstr(strrchr(demoname, *PATHSEP), "-") + 1; + demo_slug[128 - (writepoint - demoname) - 4] = 0; + sprintf(writepoint, "%s.lmp", demo_slug); + } + else if (demo.titlename[0] == '\0') + { + // Slug is completely blank? Will crash if we attempt to save + // No bailout because empty seems like a good "no thanks" choice + if (demobuf.buffer) + Z_Free(demobuf.buffer); + demobuf.buffer = NULL; + demo.recording = false; + return; + } + // If a title that is invalid is provided, the user clearly wanted + // to save. But we can't do so at that name, so we only apply the + // title INSIDE the file, not in the naked filesystem. + // (A hypothetical example is bamboozling bot behaviour causing + // a player to write "?????????".) ~toast 010524 } length = *(UINT32 *)demoinfo_p;