From d08faa6e5de60a0ca0323ca4778109fba1291fbe Mon Sep 17 00:00:00 2001 From: sfan5 Date: Thu, 19 Aug 2021 20:14:22 +0200 Subject: [PATCH] Validate staticdata and object property length limits Some games provide users with enough freedom to create items with metadata longer than 64KB, preventing this from causing issues is on them but we'll still do the minimum not to abort the server if this happens. --- src/object_properties.cpp | 34 ++++++++++++++++++++++++++++++++- src/object_properties.h | 2 ++ src/script/lua_api/l_object.cpp | 2 ++ src/staticobject.cpp | 24 +++++++++++++++++++++++ 4 files changed, 61 insertions(+), 1 deletion(-) diff --git a/src/object_properties.cpp b/src/object_properties.cpp index f0056622c..c90006c52 100644 --- a/src/object_properties.cpp +++ b/src/object_properties.cpp @@ -83,6 +83,39 @@ std::string ObjectProperties::dump() return os.str(); } +bool ObjectProperties::validate() +{ + const char *func = "ObjectProperties::validate(): "; + bool ret = true; + + // cf. where serializeString16 is used below + for (u32 i = 0; i < textures.size(); i++) { + if (textures[i].size() > U16_MAX) { + warningstream << func << "texture " << (i+1) << " has excessive length, " + "clearing it." << std::endl; + textures[i].clear(); + ret = false; + } + } + if (nametag.length() > U16_MAX) { + warningstream << func << "nametag has excessive length, clearing it." << std::endl; + nametag.clear(); + ret = false; + } + if (infotext.length() > U16_MAX) { + warningstream << func << "infotext has excessive length, clearing it." << std::endl; + infotext.clear(); + ret = false; + } + if (wield_item.length() > U16_MAX) { + warningstream << func << "wield_item has excessive length, clearing it." << std::endl; + wield_item.clear(); + ret = false; + } + + return ret; +} + void ObjectProperties::serialize(std::ostream &os, u16 protocol_version) const { if (protocol_version > 36) @@ -139,7 +172,6 @@ void ObjectProperties::serialize(std::ostream &os, u16 protocol_version) const writeU8(os, is_visible); writeU8(os, makes_footstep_sound); writeF(os, automatic_rotate, protocol_version); - // Added in protocol version 14 os << serializeString16(mesh); writeU16(os, colors.size()); for (video::SColor color : colors) { diff --git a/src/object_properties.h b/src/object_properties.h index e330d72bd..6045cf8ec 100644 --- a/src/object_properties.h +++ b/src/object_properties.h @@ -68,6 +68,8 @@ struct ObjectProperties ObjectProperties(); std::string dump(); + // check limits of some important properties (strings) that'd cause exceptions later on + bool validate(); void serialize(std::ostream &os, u16 protocol_version) const; void deSerialize(std::istream &is); }; diff --git a/src/script/lua_api/l_object.cpp b/src/script/lua_api/l_object.cpp index 12fb0c8eb..4385597cd 100644 --- a/src/script/lua_api/l_object.cpp +++ b/src/script/lua_api/l_object.cpp @@ -685,6 +685,7 @@ int ObjectRef::l_set_properties(lua_State *L) return 0; read_object_properties(L, 2, sao, prop, getServer(L)->idef()); + prop->validate(); sao->notifyObjectPropertiesModified(); return 0; } @@ -752,6 +753,7 @@ int ObjectRef::l_set_nametag_attributes(lua_State *L) std::string nametag = getstringfield_default(L, 2, "text", ""); prop->nametag = nametag; + prop->validate(); sao->notifyObjectPropertiesModified(); lua_pushboolean(L, true); return 1; diff --git a/src/staticobject.cpp b/src/staticobject.cpp index 1ea02116c..e5509550e 100644 --- a/src/staticobject.cpp +++ b/src/staticobject.cpp @@ -37,6 +37,7 @@ void StaticObject::serialize(std::ostream &os) // data os< bool { + if (obj.data.size() > U16_MAX) { + errorstream << "StaticObjectList::serialize(): " + "object has excessive static data (" << obj.data.size() << + "), deleting it." << std::endl; + return true; + } + return false; + }; + for (auto it = m_stored.begin(); it != m_stored.end(); ) { + if (problematic(*it)) + it = m_stored.erase(it); + else + it++; + } + for (auto it = m_active.begin(); it != m_active.end(); ) { + if (problematic(it->second)) + it = m_active.erase(it); + else + it++; + } + // version u8 version = 0; writeU8(os, version);