Re: [CODE] Say command crashes goodies tarball?

From: Daniel A. Koepke (
Date: 01/24/03

On Sat, 25 Jan 2003, Mark Garringer wrote:

> >#0  0x08049c12 in do_say (ch=Cannot access memory at address 0xbfff0082
> >) at act.comm.c:142
> >Cannot access memory at address 0xbfff007a

ch is pointing to an invalid address.  However, it's correct here:

>   if (!IS_NPC(ch))
>     garble_text(ibuf, GET_SKILL(ch, SPEAKING(ch)), SPEAKING(ch));

as IS_NPC(ch) would've caused the crash otherwise.  Since 'ch' is never
directly modified after this point, this implies a buffer overflow,
possibly within garble_text().

>        sprintf(buf, "$n says, in an unfamiliar tongue, '%s'",  obuf);
>       else
>        sprintf(buf, "$n says '%s'", obuf);

Both of these sprintf() calls are likely to overflow.  Note that obuf is a
char array of MAX_INPUT_LENGTH length.  This is the same size as buf,
which will always contain more text than obuf; hence, any time that obuf
is close to MAX_INPUT_LENGTH characters long, buf will overflow.


   | FAQ: |
   | Archives: |
   | Newbie List:   |

This archive was generated by hypermail 2b30 : 06/26/03 PDT