fix: Replace sprintf with snprintf to prevent potential stack overflows (TheSuperHackers#2262)

Author: stephanmeesters

Core/GameEngine/Source/Common/INI/INI.cpp

@@ -425,7 +425,8 @@ UnsignedInt INI::load( AsciiString filename, INILoadType loadType, Xfer *pXfer )
 					} catch (...) {
 						DEBUG_CRASH(("Error parsing block '%s' in INI file '%s'", token, m_filename.str()) );
 						char buff[1024];
-						sprintf(buff, "Error parsing INI file '%s' (Line: '%s')\n", m_filename.str(), currentLine.str());
+						snprintf(buff, ARRAY_SIZE(buff), "Error parsing INI file '%s' (Line: '%s')\n",
+							m_filename.str(), currentLine.str());
 
 						throw INIException(buff);
 					}
@@ -1564,7 +1565,8 @@ void INI::initFromINIMulti( void *what, const MultiIniFieldParse& parseTableList
 
 
 							char buff[1024];
-							sprintf(buff, "[LINE: %d - FILE: '%s'] Error reading field '%s'\n", INI::getLineNum(), INI::getFilename().str(), field);
+							snprintf(buff, ARRAY_SIZE(buff), "[LINE: %d - FILE: '%s'] Error reading field '%s'\n",
+								INI::getLineNum(), INI::getFilename().str(), field);
 							throw INIException(buff);
 						}
 

Core/GameEngine/Source/GameNetwork/GameSpy/StagingRoomGameInfo.cpp

@@ -861,7 +861,8 @@ void GameSpyStagingRoom::launchGame( void )
 	req.buddyRequestType = BuddyRequest::BUDDYREQUEST_SETSTATUS;
 	req.arg.status.status = GP_PLAYING;
 	strcpy(req.arg.status.statusString, "Loading");
-	sprintf(req.arg.status.locationString, "%s", WideCharStringToMultiByte(getGameName().str()).c_str());
+	strlcpy(req.arg.status.locationString, WideCharStringToMultiByte(getGameName().str()).c_str(),
+		ARRAY_SIZE(req.arg.status.locationString));
 	TheGameSpyBuddyMessageQueue->addRequest(req);
 
 	delete TheNAT;

Core/GameEngine/Source/GameNetwork/GameSpy/Thread/PeerThread.cpp

@@ -670,22 +670,22 @@ static void updateBuddyStatus( GameSpyBuddyStatus status, Int groupRoom = 0, std
 		case BUDDY_LOBBY:
 			req.arg.status.status = GP_CHATTING;
 			strcpy(req.arg.status.statusString, "Chatting");
-			sprintf(req.arg.status.locationString, "%d", groupRoom);
+			snprintf(req.arg.status.locationString, ARRAY_SIZE(req.arg.status.locationString), "%d", groupRoom);
 			break;
 		case BUDDY_STAGING:
 			req.arg.status.status = GP_STAGING;
 			strcpy(req.arg.status.statusString, "Staging");
-			sprintf(req.arg.status.locationString, "%s", gameName.c_str());
+			strlcpy(req.arg.status.locationString, gameName.c_str(), ARRAY_SIZE(req.arg.status.locationString));
 			break;
 		case BUDDY_LOADING:
 			req.arg.status.status = GP_PLAYING;
 			strcpy(req.arg.status.statusString, "Loading");
-			sprintf(req.arg.status.locationString, "%s", gameName.c_str());
+			strlcpy(req.arg.status.locationString, gameName.c_str(), ARRAY_SIZE(req.arg.status.locationString));
 			break;
 		case BUDDY_PLAYING:
 			req.arg.status.status = GP_PLAYING;
 			strcpy(req.arg.status.statusString, "Playing");
-			sprintf(req.arg.status.locationString, "%s", gameName.c_str());
+			strlcpy(req.arg.status.locationString, gameName.c_str(), ARRAY_SIZE(req.arg.status.locationString));
 			break;
 		case BUDDY_MATCHING:
 			req.arg.status.status = GP_ONLINE;

Core/GameEngineDevice/Source/VideoDevice/Bink/BinkVideoPlayer.cpp

@@ -229,7 +229,7 @@ VideoStreamInterface*	BinkVideoPlayer::open( AsciiString movieTitle )
 		if (TheGlobalData->m_modDir.isNotEmpty())
 		{
 			char filePath[ _MAX_PATH ];
-			sprintf( filePath, "%s%s\\%s.%s", TheGlobalData->m_modDir.str(), VIDEO_PATH, pVideo->m_filename.str(), VIDEO_EXT );
+			snprintf( filePath, ARRAY_SIZE(filePath), "%s%s\\%s.%s", TheGlobalData->m_modDir.str(), VIDEO_PATH, pVideo->m_filename.str(), VIDEO_EXT );
 			HBINK handle = BinkOpen(filePath , BINKPRELOADALL );
 			DEBUG_ASSERTLOG(!handle, ("opened bink file %s", filePath));
 			if (handle)
@@ -239,13 +239,13 @@ VideoStreamInterface*	BinkVideoPlayer::open( AsciiString movieTitle )
 		}
 
 		char localizedFilePath[ _MAX_PATH ];
-		sprintf( localizedFilePath, VIDEO_LANG_PATH_FORMAT, GetRegistryLanguage().str(), pVideo->m_filename.str(), VIDEO_EXT );
+		snprintf( localizedFilePath, ARRAY_SIZE(localizedFilePath), VIDEO_LANG_PATH_FORMAT, GetRegistryLanguage().str(), pVideo->m_filename.str(), VIDEO_EXT );
 		HBINK handle = BinkOpen(localizedFilePath , BINKPRELOADALL );
 		DEBUG_ASSERTLOG(!handle, ("opened localized bink file %s", localizedFilePath));
 		if (!handle)
 		{
 			char filePath[ _MAX_PATH ];
-			sprintf( filePath, "%s\\%s.%s", VIDEO_PATH, pVideo->m_filename.str(), VIDEO_EXT );
+			snprintf( filePath, ARRAY_SIZE(filePath), "%s\\%s.%s", VIDEO_PATH, pVideo->m_filename.str(), VIDEO_EXT );
 			handle = BinkOpen(filePath , BINKPRELOADALL );
 			DEBUG_ASSERTLOG(!handle, ("opened bink file %s", localizedFilePath));
 		}

Core/GameEngineDevice/Source/VideoDevice/FFmpeg/FFmpegVideoPlayer.cpp

@@ -235,7 +235,7 @@ VideoStreamInterface*	FFmpegVideoPlayer::open( AsciiString movieTitle )
 		if (TheGlobalData->m_modDir.isNotEmpty())
 		{
 			char filePath[ _MAX_PATH ];
-			sprintf( filePath, "%s%s\\%s.%s", TheGlobalData->m_modDir.str(), VIDEO_PATH, pVideo->m_filename.str(), VIDEO_EXT );
+			snprintf( filePath, ARRAY_SIZE(filePath), "%s%s\\%s.%s", TheGlobalData->m_modDir.str(), VIDEO_PATH, pVideo->m_filename.str(), VIDEO_EXT );
 			File* file =  TheFileSystem->openFile(filePath);
 			DEBUG_ASSERTLOG(!file, ("opened bink file %s", filePath));
 			if (file)
@@ -245,13 +245,13 @@ VideoStreamInterface*	FFmpegVideoPlayer::open( AsciiString movieTitle )
 		}
 
 		char localizedFilePath[ _MAX_PATH ];
-		sprintf( localizedFilePath, VIDEO_LANG_PATH_FORMAT, GetRegistryLanguage().str(), pVideo->m_filename.str(), VIDEO_EXT );
+		snprintf( localizedFilePath, ARRAY_SIZE(localizedFilePath), VIDEO_LANG_PATH_FORMAT, GetRegistryLanguage().str(), pVideo->m_filename.str(), VIDEO_EXT );
 		File* file =  TheFileSystem->openFile(localizedFilePath);
 		DEBUG_ASSERTLOG(!file, ("opened localized bink file %s", localizedFilePath));
 		if (!file)
 		{
 			char filePath[ _MAX_PATH ];
-			sprintf( filePath, "%s\\%s.%s", VIDEO_PATH, pVideo->m_filename.str(), VIDEO_EXT );
+			snprintf( filePath, ARRAY_SIZE(filePath), "%s\\%s.%s", VIDEO_PATH, pVideo->m_filename.str(), VIDEO_EXT );
 			file = TheFileSystem->openFile(filePath);
 			DEBUG_ASSERTLOG(!file, ("opened bink file %s", filePath));
 		}

Core/GameEngineDevice/Source/W3DDevice/GameClient/Drawable/Draw/W3DModelDraw.cpp

@@ -763,12 +763,12 @@ void ModelConditionInfo::validateWeaponBarrelInfo() const
 
 				if (!recoilBoneName.isEmpty())
 				{
-					sprintf(buffer, "%s%02d", recoilBoneName.str(), i);
+					snprintf(buffer, ARRAY_SIZE(buffer), "%s%02d", recoilBoneName.str(), i);
 					findPristineBone(NAMEKEY(buffer), &info.m_recoilBone);
 				}
 				if (!mfName.isEmpty())
 				{
-					sprintf(buffer, "%s%02d", mfName.str(), i);
+					snprintf(buffer, ARRAY_SIZE(buffer), "%s%02d", mfName.str(), i);
 					findPristineBone(NAMEKEY(buffer), &info.m_muzzleFlashBone);
 #if defined(RTS_DEBUG) || defined(DEBUG_CRASHING)
 					if (info.m_muzzleFlashBone)
@@ -777,7 +777,7 @@ void ModelConditionInfo::validateWeaponBarrelInfo() const
 				}
 				if (!fxBoneName.isEmpty())
 				{
-					sprintf(buffer, "%s%02d", fxBoneName.str(), i);
+					snprintf(buffer, ARRAY_SIZE(buffer), "%s%02d", fxBoneName.str(), i);
 					findPristineBone(NAMEKEY(buffer), &info.m_fxBone);
 					// special case: if we have multiple muzzleflashes, but only one fxbone, use that fxbone for everything.
 					if (info.m_fxBone == 0 && info.m_muzzleFlashBone != 0)
@@ -787,7 +787,7 @@ void ModelConditionInfo::validateWeaponBarrelInfo() const
 				Int plbBoneIndex = 0;
 				if (!plbName.isEmpty())
 				{
-					sprintf(buffer, "%s%02d", plbName.str(), i);
+					snprintf(buffer, ARRAY_SIZE(buffer), "%s%02d", plbName.str(), i);
 					const Matrix3D* mtx = findPristineBone(NAMEKEY(buffer), &plbBoneIndex);
 					if (mtx != nullptr)
 						info.m_projectileOffsetMtx = *mtx;
@@ -3446,7 +3446,7 @@ Int W3DModelDraw::getPristineBonePositionsForConditionState(
 		if (i == 0)
 			strlcpy(buffer, boneNamePrefix, ARRAY_SIZE(buffer));
 		else
-			sprintf(buffer, "%s%02d", boneNamePrefix, i);
+			snprintf(buffer, ARRAY_SIZE(buffer), "%s%02d", boneNamePrefix, i);
 
 		for (char *c = buffer; c && *c; ++c)
 		{
@@ -3603,7 +3603,7 @@ Int W3DModelDraw::getCurrentBonePositions(
 		if (i == 0)
 			strlcpy(buffer, boneNamePrefix, ARRAY_SIZE(buffer));
 		else
-			sprintf(buffer, "%s%02d", boneNamePrefix, i);
+			snprintf(buffer, ARRAY_SIZE(buffer), "%s%02d", boneNamePrefix, i);
 
 		Int boneIndex = m_renderObject->Get_Bone_Index(buffer);
 		if (boneIndex == 0)

Core/GameEngineDevice/Source/W3DDevice/GameClient/Drawable/Draw/W3DSupplyDraw.cpp

@@ -96,7 +96,7 @@ void W3DSupplyDraw::updateDrawModuleSupplyStatus( Int maxSupply, Int currentSupp
 		while( currentIndex <= highIndex )
 		{
 			char buffer[16];
-			sprintf( buffer, "%s%02d", boneName.str(), currentIndex );
+			snprintf( buffer, ARRAY_SIZE(buffer), "%s%02d", boneName.str(), currentIndex );
 			ModelConditionInfo::HideShowSubObjInfo info;
 			info.hide = hide;
 			info.subObjName = buffer;

Core/GameEngineDevice/Source/W3DDevice/GameClient/W3DTreeBuffer.cpp

@@ -458,10 +458,10 @@ void W3DTreeBuffer::updateTexture(void)
 	for (i=0; i<m_numTreeTypes; i++) {
 		char texturePath[ _MAX_PATH ];
 		m_treeTypes[i].m_numTiles = 0;
-		sprintf( texturePath, "%s%s", TERRAIN_TGA_DIR_PATH, m_treeTypes[i].m_data->m_textureName.str() );
+		snprintf( texturePath, ARRAY_SIZE(texturePath), "%s%s", TERRAIN_TGA_DIR_PATH, m_treeTypes[i].m_data->m_textureName.str() );
 		theFile = TheFileSystem->openFile( texturePath, File::READ|File::BINARY);
 		if (theFile==nullptr) {
-			sprintf( texturePath, "%s%s", TGA_DIR_PATH, m_treeTypes[i].m_data->m_textureName.str() );
+			snprintf( texturePath, ARRAY_SIZE(texturePath), "%s%s", TGA_DIR_PATH, m_treeTypes[i].m_data->m_textureName.str() );
 			theFile = TheFileSystem->openFile( texturePath, File::READ|File::BINARY);
 		}
 		if (theFile != nullptr) {

Core/GameEngineDevice/Source/W3DDevice/GameClient/WorldHeightMap.cpp

@@ -1004,7 +1004,7 @@ void WorldHeightMap::readTexClass(TXTextureClass *texClass, TileData **tileData)
 	}
 	else
 	{
-		sprintf( texturePath, "%s%s", TERRAIN_TGA_DIR_PATH, terrain->getTexture().str() );
+		snprintf( texturePath, ARRAY_SIZE(texturePath), "%s%s", TERRAIN_TGA_DIR_PATH, terrain->getTexture().str() );
 		theFile = TheFileSystem->openFile( texturePath, File::READ|File::BINARY);
 	}
 

Core/Libraries/Source/WWVegas/WW3D2/FramGrab.cpp

@@ -49,15 +49,15 @@ FrameGrabClass::FrameGrabClass(const char *filename, MODE mode, int width, int h
 	int result;
 	char file[256];
 	do {
-		sprintf(file, "%s%d.AVI", filename, counter++);
+		snprintf(file, ARRAY_SIZE(file), "%s%d.AVI", filename, counter++);
 		result = _access(file, 0);
 	} while(result != -1);
 
 	// Create new AVI file using AVIFileOpen.
     hr = AVIFileOpen(&AVIFile, file, OF_WRITE | OF_CREATE, nullptr);
     if (hr != 0) {
 		char buf[256];
-		sprintf(buf, "Unable to open %s\n", Filename);
+		snprintf(buf, ARRAY_SIZE(buf), "Unable to open %s\n", Filename);
 		OutputDebugString(buf);
 		CleanupAVI();
 		return;