Jump to content

[1.298, 1.310] CRoom::RoomChat() exploit

  • Please log in to reply
No replies to this topic

#1 twostars


    KO Guru

  • GateKeeper
  • Others:Donator, Snoxd server contributor
  • 6,415 posts

Posted 11 February 2012 - 12:53 PM

Length check's slightly wrong -- the buffer allows for 256 bytes, their existing length check allows all 256 bytes to be used instead of allowing for the null-terminator. As it's then passed into sprintf(), well... nothing good can come of it.

Easy fix -- just change the "JG" (jump if greater than) instruction to a "JGE" (jump if greater than or equal to) instruction, so we're only allowing the first 255 bytes to be filled, leaving room for that pesky null-terminator.

004831A7   /0F8D A7000000   JGE 00483254

0046C06B   /0F8F A4000000   JGE 0046C115