From f1d3a7ffd40a0e6768b220cf76d05db3c57c3e89 Mon Sep 17 00:00:00 2001
From: Andrey Nazarov <skuller@skuller.net>
Date: Sat, 5 Sep 2009 12:03:15 +0000
Subject: Fixed an off-by-one error in Info_Validate when checking the length
 of the whole string. Made Info_Validate more strict, no longer allow
 non-printable or high bit characters.

---
 source/q_shared.c | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

(limited to 'source/q_shared.c')

diff --git a/source/q_shared.c b/source/q_shared.c
index c349586..5019256 100644
--- a/source/q_shared.c
+++ b/source/q_shared.c
@@ -1116,30 +1116,35 @@ Also checks the length of keys/values and the whole string.
 ==================
 */
 qboolean Info_Validate( const char *s ) {
-    const char  *start;
-    int         c, len;
+    size_t len, total;
+    int c;
     
-    start = s;
+    total = 0;
     while( 1 ) {
         //
         // validate key
         //
         if( *s == '\\' ) {
             s++;
+            if( ++total == MAX_INFO_STRING ) {
+                return qfalse;    // oversize infostring
+            }
         }
         if( !*s ) {
             return qfalse;    // missing key
         }
         len = 0;
         while( *s != '\\' ) {
-            c = *s & 127;
-            if( c == '\\' || c == '\"' || c == ';' ) {
+            c = *s++;
+            if( !Q_isprint( c ) || c == '\"' || c == ';' ) {
                 return qfalse;    // illegal characters
             }
-            if( len == MAX_INFO_KEY - 1 ) {
+            if( ++len == MAX_INFO_KEY ) {
                 return qfalse;    // oversize key
             }
-            s++; len++;
+            if( ++total == MAX_INFO_STRING ) {
+                return qfalse;    // oversize infostring
+            }
             if( !*s ) {
                 return qfalse;    // missing value
             }
@@ -1149,23 +1154,25 @@ qboolean Info_Validate( const char *s ) {
         // validate value
         //
         s++;
+        if( ++total == MAX_INFO_STRING ) {
+            return qfalse;    // oversize infostring
+        }
         if( !*s ) {
             return qfalse;    // missing value
         }
         len = 0;
         while( *s != '\\' ) {
-            c = *s & 127;
-            if( c == '\\' || c == '\"' || c == ';' ) {
+            c = *s++;
+            if( !Q_isprint( c ) || c == '\"' || c == ';' ) {
                 return qfalse;    // illegal characters
             }
-            if( len == MAX_INFO_VALUE - 1 ) {
+            if( ++len == MAX_INFO_VALUE ) {
                 return qfalse;    // oversize value
             }
-            s++; len++;
+            if( ++total == MAX_INFO_STRING ) {
+                return qfalse;    // oversize infostring
+            }
             if( !*s ) {
-                if( s - start > MAX_INFO_STRING ) {
-                    return qfalse;
-                }
                 return qtrue;    // end of string
             }
         }
-- 
cgit v1.2.3