server: Ensure no buffer overflows when sscanf to char buffer

dimhotepus · EricS-Valve · commit e83ecdfa3cb4 · 2025-11-05T18:20:52.000-08:00
Closes #878
diff --git a/src/game/server/tf/tf_passtime_logic.cpp b/src/game/server/tf/tf_passtime_logic.cpp
@@ -1853,11 +1853,14 @@ bool CTFPasstimeLogic::ParseSetSection( const char *pStr, SetSectionParams &s )
 {
 	char pszStartName[64];
 	char pszEndName[64];
-	const int iScanCount = sscanf( pStr, "%i %s %s", &s.num, pszStartName, pszEndName ); // WHAT YEAR IS IT
+	const int iScanCount = sscanf( pStr, "%i %63s %63s", &s.num, pszStartName, pszEndName ); // WHAT YEAR IS IT
 	if ( iScanCount != 3 )
 	{
 		return false;
 	}
+	pszStartName[ ARRAYSIZE(pszStartName) - 1 ] = '\0';
+	pszEndName[ ARRAYSIZE(pszEndName) - 1 ] = '\0';
+
 	s.pSectionStart = dynamic_cast<CPathTrack*>( gEntList.FindEntityByName( 0, pszStartName ) );
 	s.pSectionEnd = dynamic_cast<CPathTrack*>( gEntList.FindEntityByName( 0, pszEndName ) );
 
diff --git a/src/game/server/tf/tf_player.cpp b/src/game/server/tf/tf_player.cpp
@@ -5950,8 +5950,9 @@ void CTFPlayer::HandleAnimEvent( animevent_t *pEvent )
 		char szAttrName[128];
 		float flVal;
 		float flDuration;
-		if ( sscanf( pEvent->options, "%s %f %f", szAttrName, &flVal, &flDuration ) == 3 )
+		if ( sscanf( pEvent->options, "%127s %f %f", szAttrName, &flVal, &flDuration ) == 3 )
 		{
+			szAttrName[ ARRAYSIZE(szAttrName) - 1 ] = '\0';
 			Assert( flDuration > 0.f );
 			AddCustomAttribute( szAttrName, flVal, flDuration );
 		}

Original file line number	Diff line number	Diff line change
`@@ -1853,11 +1853,14 @@ bool CTFPasstimeLogic::ParseSetSection( const char *pStr, SetSectionParams &s )`
`1853`	`1853`	`{`
`1854`	`1854`	`char pszStartName[64];`
`1855`	`1855`	`char pszEndName[64];`
`1856`		`- const int iScanCount = sscanf( pStr, "%i %s %s", &s.num, pszStartName, pszEndName ); // WHAT YEAR IS IT`
	`1856`	`+ const int iScanCount = sscanf( pStr, "%i %63s %63s", &s.num, pszStartName, pszEndName ); // WHAT YEAR IS IT`
`1857`	`1857`	`if ( iScanCount != 3 )`
`1858`	`1858`	`{`
`1859`	`1859`	`return false;`
`1860`	`1860`	`}`
	`1861`	`+ pszStartName[ ARRAYSIZE(pszStartName) - 1 ] = '\0';`
	`1862`	`+ pszEndName[ ARRAYSIZE(pszEndName) - 1 ] = '\0';`
	`1863`	`+`
`1861`	`1864`	`s.pSectionStart = dynamic_cast<CPathTrack*>( gEntList.FindEntityByName( 0, pszStartName ) );`
`1862`	`1865`	`s.pSectionEnd = dynamic_cast<CPathTrack*>( gEntList.FindEntityByName( 0, pszEndName ) );`
`1863`	`1866`
Original file line number	Diff line number	Diff line change
`@@ -5950,8 +5950,9 @@ void CTFPlayer::HandleAnimEvent( animevent_t *pEvent )`
`5950`	`5950`	`char szAttrName[128];`
`5951`	`5951`	`float flVal;`
`5952`	`5952`	`float flDuration;`
`5953`		`- if ( sscanf( pEvent->options, "%s %f %f", szAttrName, &flVal, &flDuration ) == 3 )`
	`5953`	`+ if ( sscanf( pEvent->options, "%127s %f %f", szAttrName, &flVal, &flDuration ) == 3 )`
`5954`	`5954`	`{`
	`5955`	`+ szAttrName[ ARRAYSIZE(szAttrName) - 1 ] = '\0';`
`5955`	`5956`	`Assert( flDuration > 0.f );`
`5956`	`5957`	`AddCustomAttribute( szAttrName, flVal, flDuration );`
`5957`	`5958`	`}`