Re: [CODE] Say command crashes goodies tarball?

From: Mark Garringer (
Date: 01/25/03

>as IS_NPC(ch) would've caused the crash otherwise.  Since 'ch' is never
>directly modified after this point, this implies a buffer overflow,
>possibly within garble_text().

void garble_text(char *string, int percent, int lang)
  char letters[12] = "";
  /* Always up letters[12] to the largest size for letters you wish to
* use below. */
  int i, s;

  switch (lang) {
    strcpy (letters, "hprstwxyz");
    s = 8;
    strcpy (letters, "aefhilnopstu");
    s = 11;
    strcpy (letters, "aehiopstuwxyz");
    s = 12;

  for (i = 0; i < strlen(string); ++i)
    if (isalpha(string[i]) && (rand_number(0, 100) > percent))
      string[i] = letters[rand_number(0, s)];

I'd gladly take any suggestions on this :) It seems like maybe garble_text
should be returning something though?

>Both of these sprintf() calls are likely to overflow.  Note that obuf >is a
>char array of MAX_INPUT_LENGTH length.  This is the same size as >buf,
>which will always contain more text than obuf; hence, any time >that obuf
>is close to MAX_INPUT_LENGTH characters long, buf will >overflow.

I went back and looked at the stock do_say and see that buf there is
MAX_INPUT_LENGTH + 12, and it uses snprintf rather than sprintf. So I
changed the sprintf to snprintfs and upped my buf size to MAX_INPUT_LENGTH +
MAX_INPUT_LENGTH. This may be a bit much, but so far everything seems to
still work wonderfully for me. Now I'll just have to have Adam test on his
machine and see if he's stopped crashing.


Help STOP SPAM with the new MSN 8 and get 2 months FREE*

   | FAQ: |
   | Archives: |
   | Newbie List:   |

This archive was generated by hypermail 2b30 : 06/26/03 PDT