fix crash when chat message is too long

Len byte was limited to 255, but would get clipped (masked with 0xFF)
then all the string data would get written. So on receipt, the clipped
length was taken to be that of the string data, with the rest of the
string to be interpreted as something else. An array index, in this
case.
This commit is contained in:
Eric House 2020-03-26 18:12:37 -07:00 committed by Eric House
parent 3b80e51439
commit de3809aa7d
3 changed files with 7 additions and 5 deletions

View file

@ -1868,7 +1868,7 @@ public class DBUtils {
{ {
Assert.assertNotNull( msg ); Assert.assertNotNull( msg );
Assert.assertFalse( -1 == fromPlayer ); Assert.assertFalse( -1 == fromPlayer );
ArrayList<ContentValues> valuess = new ArrayList<ContentValues>(); ArrayList<ContentValues> valuess = new ArrayList<>();
valuess.add( cvForChat( rowid, msg, fromPlayer, tsSeconds ) ); valuess.add( cvForChat( rowid, msg, fromPlayer, tsSeconds ) );
appendChatHistory( context, valuess ); appendChatHistory( context, valuess );
Log.i( TAG, "appendChatHistory: inserted \"%s\" from player %d", Log.i( TAG, "appendChatHistory: inserted \"%s\" from player %d",

View file

@ -722,7 +722,6 @@ sendChatTo( ServerCtxt* server, XP_U16 devIndex, const XP_UCHAR* msg,
XWStreamCtxt* stream = messageStreamWithHeader( server, devIndex, XWStreamCtxt* stream = messageStreamWithHeader( server, devIndex,
XWPROTO_CHAT ); XWPROTO_CHAT );
stringToStream( stream, msg ); stringToStream( stream, msg );
XP_ASSERT( from < server->vol.gi->nPlayers );
stream_putU8( stream, from ); stream_putU8( stream, from );
stream_putU32( stream, timestamp ); stream_putU32( stream, timestamp );
stream_destroy( stream ); stream_destroy( stream );
@ -766,7 +765,6 @@ receiveChat( ServerCtxt* server, XWStreamCtxt* incoming )
sendChatToClientsExcept( server, sourceClientIndex, msg, from, sendChatToClientsExcept( server, sourceClientIndex, msg, from,
timestamp ); timestamp );
} }
XP_ASSERT( from < server->vol.gi->nPlayers );
util_showChat( server->vol.util, msg, from, timestamp ); util_showChat( server->vol.util, msg, from, timestamp );
XP_FREE( server->mpool, msg ); XP_FREE( server->mpool, msg );
return XP_TRUE; return XP_TRUE;

View file

@ -268,7 +268,11 @@ void
stringToStream( XWStreamCtxt* stream, const XP_UCHAR* str ) stringToStream( XWStreamCtxt* stream, const XP_UCHAR* str )
{ {
XP_U16 len = str == NULL? 0: XP_STRLEN( str ); XP_U16 len = str == NULL? 0: XP_STRLEN( str );
XP_ASSERT( len < 0xFF ); if ( len > 0xFF ) {
XP_LOGFF( "truncating string '%s', dropping len from %d to %d",
str, len, 0xFF );
len = 0xFF;
}
stream_putU8( stream, (XP_U8)len ); stream_putU8( stream, (XP_U8)len );
stream_putBytes( stream, str, len ); stream_putBytes( stream, str, len );
} /* putStringToStream */ } /* putStringToStream */