From 0366a6c57fa70fb70d35397c15ede0789e94f8d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= Date: Fri, 6 May 2016 10:58:06 +0200 Subject: [PATCH] Fix possible bad memory access when placing track design Name of ride can be set to a string of variable length, like in `track_design_open` it gets set to the variable length filename. In `ride_set_name`, however, the ride name is accessed as if it was 36-bytes long anyway. This makes sure all 36 bytes are available for accessing. --- src/ride/ride.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/ride/ride.c b/src/ride/ride.c index 1764afc864..eacb6820cd 100644 --- a/src/ride/ride.c +++ b/src/ride/ride.c @@ -5498,10 +5498,12 @@ void game_command_set_ride_status(int *eax, int *ebx, int *ecx, int *edx, int *e void ride_set_name(int rideIndex, const char *name) { + char name_buffer[36]; + safe_strcpy(name_buffer, name, sizeof(name_buffer)); gGameCommandErrorTitle = STR_CANT_RENAME_RIDE_ATTRACTION; - game_do_command(1, (rideIndex << 8) | 1, 0, *((int*)(name + 0)), GAME_COMMAND_SET_RIDE_NAME, *((int*)(name + 8)), *((int*)(name + 4))); - game_do_command(2, (rideIndex << 8) | 1, 0, *((int*)(name + 12)), GAME_COMMAND_SET_RIDE_NAME, *((int*)(name + 20)), *((int*)(name + 16))); - game_do_command(0, (rideIndex << 8) | 1, 0, *((int*)(name + 24)), GAME_COMMAND_SET_RIDE_NAME, *((int*)(name + 32)), *((int*)(name + 28))); + game_do_command(1, (rideIndex << 8) | 1, 0, *((int*)(name_buffer + 0)), GAME_COMMAND_SET_RIDE_NAME, *((int*)(name_buffer + 8)), *((int*)(name_buffer + 4))); + game_do_command(2, (rideIndex << 8) | 1, 0, *((int*)(name_buffer + 12)), GAME_COMMAND_SET_RIDE_NAME, *((int*)(name_buffer + 20)), *((int*)(name_buffer + 16))); + game_do_command(0, (rideIndex << 8) | 1, 0, *((int*)(name_buffer + 24)), GAME_COMMAND_SET_RIDE_NAME, *((int*)(name_buffer + 32)), *((int*)(name_buffer + 28))); } /**