From 410dc04576b9a1f09f392aa82902a0ae010867fd Mon Sep 17 00:00:00 2001 From: "(Jip) Willem Wijnia" Date: Sat, 8 Feb 2025 15:12:48 +0100 Subject: [PATCH] Add a guard to prevent a buffer overflow when saving a game (#6647) --- changelog/snippets/fix.6647.md | 1 + lua/ui/globals/InternalSaveGame.lua | 43 +++++++++++++++++++++++++++++ lua/userInit.lua | 1 + 3 files changed, 45 insertions(+) create mode 100644 changelog/snippets/fix.6647.md create mode 100644 lua/ui/globals/InternalSaveGame.lua diff --git a/changelog/snippets/fix.6647.md b/changelog/snippets/fix.6647.md new file mode 100644 index 0000000000..629e3171ea --- /dev/null +++ b/changelog/snippets/fix.6647.md @@ -0,0 +1 @@ +- (#6647) Fix a buffer overflow exploit in the `InternalSaveGame` user global diff --git a/lua/ui/globals/InternalSaveGame.lua b/lua/ui/globals/InternalSaveGame.lua new file mode 100644 index 0000000000..73d987ca11 --- /dev/null +++ b/lua/ui/globals/InternalSaveGame.lua @@ -0,0 +1,43 @@ +---@declare-global + +--****************************************************************************************************** +--** Copyright (c) 2024 Willem 'Jip' Wijnia +--** +--** Permission is hereby granted, free of charge, to any person obtaining a copy +--** of this software and associated documentation files (the "Software"), to deal +--** in the Software without restriction, including without limitation the rights +--** to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +--** copies of the Software, and to permit persons to whom the Software is +--** furnished to do so, subject to the following conditions: +--** +--** The above copyright notice and this permission notice shall be included in all +--** copies or substantial portions of the Software. +--** +--** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +--** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +--** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +--** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +--** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +--** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +--** SOFTWARE. +--****************************************************************************************************** + +do + local DebugAllocatedSize = debug.allocatedsize + local oldInternalSaveGame = _G.InternalSaveGame + + --- Hook to fix a buffer overflow security issue in the engine + ---@param filename string + _G.InternalSaveGame = function(filename, friendlyFilename, onCompletionCallback) + local characterLimit = 100 + if DebugAllocatedSize(filename) > characterLimit then + filename = filename:sub(1, characterLimit) + end + + if DebugAllocatedSize(friendlyFilename) > characterLimit then + friendlyFilename = friendlyFilename:sub(1, characterLimit) + end + + return oldInternalSaveGame(filename, friendlyFilename, onCompletionCallback) + end +end diff --git a/lua/userInit.lua b/lua/userInit.lua index 535c3fbd27..cb92901466 100644 --- a/lua/userInit.lua +++ b/lua/userInit.lua @@ -18,6 +18,7 @@ end -- # Global (and shared) init doscript '/lua/globalInit.lua' doscript '/lua/ui/globals/GpgNetSend.lua' +doscript '/lua/ui/globals/InternalSaveGame.lua' -- Do we have an custom language set inside user-options ? local selectedlanguage = import("/lua/user/prefs.lua").GetFromCurrentProfile('options').selectedlanguage