On Sat, 25 Jan 2003, Mark Garringer wrote: > >#0 0x08049c12 in do_say (ch=Cannot access memory at address 0xbfff0082 > >) at act.comm.c:142 > >Cannot access memory at address 0xbfff007a ch is pointing to an invalid address. However, it's correct here: > if (!IS_NPC(ch)) > garble_text(ibuf, GET_SKILL(ch, SPEAKING(ch)), SPEAKING(ch)); as IS_NPC(ch) would've caused the crash otherwise. Since 'ch' is never directly modified after this point, this implies a buffer overflow, possibly within garble_text(). > sprintf(buf, "$n says, in an unfamiliar tongue, '%s'", obuf); > else > sprintf(buf, "$n says '%s'", obuf); Both of these sprintf() calls are likely to overflow. Note that obuf is a char array of MAX_INPUT_LENGTH length. This is the same size as buf, which will always contain more text than obuf; hence, any time that obuf is close to MAX_INPUT_LENGTH characters long, buf will overflow. -dak -- +---------------------------------------------------------------+ | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html | | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html | | Newbie List: http://groups.yahoo.com/group/circle-newbies/ | +---------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 06/26/03 PDT