Subject: fix for vulnerability CVE-2005-2764 for OpenTTD 0.3.5 - 0.4.0.1 (Multiple buffer overflows)
From: OpenTTD developer team <info@openttd.org>
Origin: backport,
Bug:

Multiple format string vulnerabilities that allow remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via unspecified
vectors.

Attached are patches for some vulnerable versions. Versions from before 0.3.5
had no (good) functioning network play. Making patches for those versions is
quite easy as it is replacing “vsprintf(a” with “vsnprintf(a, sizeof(a)”.

Note: this is a partial backport of trunk r2899.


Index: network.c
===================================================================
--- network.c
+++ network.c
@@ -96,7 +96,7 @@
 	StringID TempStr = STR_NULL;

 	va_start(va, str);
-	vsprintf(buf, str, va);
+	vsnprintf(buf, sizeof(buf), str, va);
 	va_end(va);

 	switch (action) {
Index: ttd.c
===================================================================
--- ttd.c
+++ ttd.c
@@ -70,7 +70,7 @@
 	va_list va;
 	char buf[512];
 	va_start(va, s);
-	vsprintf(buf, s, va);
+	vsnprintf(buf, sizeof(buf), s, va);
 	va_end(va);

 	ShowOSErrorBox(buf);
@@ -86,7 +86,7 @@
 	va_list va;
 	char buf[1024];
 	va_start(va, str);
-	vsprintf(buf, str, va);
+	vsnprintf(buf, sizeof(buf), str, va);
 	va_end(va);
 	ShowInfo(buf);
 }
@@ -99,7 +99,7 @@
 	char *p;

 	va_start(va, str);
-	len = vsprintf(buf, str, va);
+	len = vsnprintf(buf, sizeof(buf), str, va);
 	va_end(va);
 	p = malloc(len + 1);
 	if (p)
Index: texteff.c
===================================================================
--- texteff.c
+++ texteff.c
@@ -57,7 +57,7 @@
 	int length;

 	va_start(va, message);
-	vsprintf(buf, message, va);
+	vsnprintf(buf, sizeof(buf), message, va);
 	va_end(va);

 	/* Special color magic */
Index: win32.c
===================================================================
--- win32.c
+++ win32.c
@@ -841,7 +841,7 @@
 	char buf[512];

 	va_start(va, cmd);
-	vsprintf(buf, cmd, va);
+	vsnprintf(buf, sizeof(buf), cmd, va);
 	va_end(va);
 	return mciSendStringA(buf, NULL, 0, 0);
 }
Index: os2.c
===================================================================
--- os2.c
+++ os2.c
@@ -642,7 +642,7 @@
 	va_list va;
 	char buf[512];
 	va_start(va, cmd);
-	vsprintf(buf, cmd, va);
+	vsnprintf(buf, sizeof(buf), cmd, va);
 	va_end(va);
 	return mciSendString(buf, NULL, 0, NULL, 0);
 }
Index: strgen/strgen.c
===================================================================
--- strgen/strgen.c
+++ strgen/strgen.c
@@ -84,7 +84,7 @@
 	char buf[1024];
 	va_list va;
 	va_start(va, s);
-	vsprintf(buf, s, va);
+	vsnprintf(buf, sizeof(buf), s, va);
 	va_end(va);
 	fprintf(stderr, "%d: ERROR: %s\n", _cur_line, buf);
 	_warnings = true;
@@ -94,7 +94,7 @@
 	char buf[1024];
 	va_list va;
 	va_start(va, s);
-	vsprintf(buf, s, va);
+	vsnprintf(buf, sizeof(buf), s, va);
 	va_end(va);
 	fprintf(stderr, "%d: FATAL: %s\n", _cur_line, buf);
 	exit(1);