[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <00cb01c57e81$7e360e80$0505a8c0@Slawek>
Date: Sat Jul 2 14:56:31 2005
From: sgp at telsatgp.com.pl (Slawek)
Subject: Re: In-game /ignore crash in Soldier of Fortune
II 1.03
Hello!
In message to <bugtraq@...urityfocus.com>; <bugs@...uritytracker.com>;
<news@...uriteam.com>; <full-disclosure@...ts.grok.org.uk>;
<vuln@...unia.com> sent Wed, 29 Jun 2005 20:32:51 +0000 you wrote:
LA> #######################################################################
LA> Luigi Auriemma
LA> Application: Soldier of Fortune II
LA> http://sof2.ravensoft.com
LA> Versions: 1.02x and 1.03
LA> Platforms: Windows, Linux and Mac
LA> Bug: bad memory access
LA> Exploitation: remote, versus server (in-game)
LA> Date: 29 Jun 2005
LA> Author: unknown, found in the wild and reported to me by two
LA> admins
LA> Advisory: Luigi Auriemma
LA> e-mail: aluigi@...istici.org
LA> web: http://aluigi.altervista.org
[...]
LA> ======
LA> 4) Fix
LA> ======
LA> The game is no longer supported so there is no official fix.
LA> The correct way for removing the problem is patching the bug into the
LA> latest SDK available for the game (1.02 + 1.03) and recompiling it.
LA> The patch consists in the adding of the following instruction in
LA> g_cmds.c after "ignoree = atoi( buffer );" at line 1962:
LA> if(ignoree > MAX_GENTITIES) return;
I'm afraid it's not enough.
Unfortunatelly ignoree is declared "int" so you should test for negative
values as well.
Also used table is MAX_GENTITIES long, so ignoree being equal MAX_GENTITIES
is invalid.
Correct test should rather look like this:
if ((ignoree < 0) || (ignoree >= MAX_GENTITIES)) return;
------------------------------------------
Slawomir Piotrowski / Telsat GP
Rejestracja Czasu Pracy i Kontrola Dostepu
http://www.ewidencja-czasu-pracy.pl
------------------------------------------
Powered by blists - more mailing lists