Clients format string, ScrollInfoT::Print()

Issue #21 resolved
Former user created an issue

The client's engine is affected by a format string vulnerability located in the calling of the `ScrollInfoT::Print` function used for showing messages on the screen. Differently than `Console->Print` that shows one string in the console this one uses a printf-like format

but the format argument is missed in a couple of locations, one of which is the visualization of the chat messages.

Ca3DE\Client\ClientStateInGame.cpp: {{{ ... case SC1_ChatMsg: { const char* ChatMessage=InData.ReadString();

cf::LogDebug(net, "SC1_ChatMsg: %s", ChatMessage); Console->Print(std::string(ChatMessage)+"\n"); ChatScrollInfo.Print(ChatMessage); break; } ... The result is that an attacker from the same server or (better) from another client can crash or execute malicious code on any other client connected to the server.

note that `Scrollinfo.Printf` is used without argument also in the `ClientStateInGameT::Render` function.

Comments (4)

  1. Log in to comment