From 701c6c8968fea04dc13f02c3cc5e3e7841e48345 Mon Sep 17 00:00:00 2001
From: "X.organic" <dilithium.no3@protonmail.com>
Date: Tue, 6 Apr 2021 01:01:33 +0200
Subject: [PATCH] Fix myhashfgets-related buffer overflows in deh_soc.c

---
 src/deh_soc.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/deh_soc.c b/src/deh_soc.c
index 5b12ea1b0b..bc7533ee00 100644
--- a/src/deh_soc.c
+++ b/src/deh_soc.c
@@ -229,7 +229,10 @@ void readPlayer(MYFILE *f, INT32 num)
 
 				SLOTFOUND
 
-				for (i = 0; i < MAXLINELEN-3; i++)
+				// A friendly neighborhood alias for brevity's sake
+				const size_t note_size = sizeof(description[num].notes);
+
+				for (i = 0; i < MAXLINELEN-note_size-3; i++)
 				{
 					if (s[i] == '=')
 					{
@@ -239,8 +242,9 @@ void readPlayer(MYFILE *f, INT32 num)
 				}
 				if (playertext)
 				{
-					strcpy(description[num].notes, playertext);
-					strcat(description[num].notes, myhashfgets(playertext, sizeof (description[num].notes), f));
+					strlcpy(description[num].notes, playertext, note_size);
+					strlcat(description[num].notes,
+						myhashfgets(playertext, note_size, f), note_size);
 				}
 				else
 					strcpy(description[num].notes, "");
@@ -249,7 +253,7 @@ void readPlayer(MYFILE *f, INT32 num)
 				// It works down here, though.
 				{
 					INT32 numline = 0;
-					for (i = 0; (size_t)i < sizeof(description[num].notes)-1; i++)
+					for (i = 0; (size_t)i < note_size-1; i++)
 					{
 						if (numline < 20 && description[num].notes[i] == '\n')
 							numline++;
@@ -1140,8 +1144,10 @@ void readgametype(MYFILE *f, char *gtname)
 				}
 				if (descr)
 				{
-					strcpy(gtdescription, descr);
-					strcat(gtdescription, myhashfgets(descr, sizeof (gtdescription), f));
+					strlcpy(gtdescription, descr, sizeof (gtdescription));
+					strlcat(gtdescription,
+						myhashfgets(descr, sizeof (gtdescription), f),
+						sizeof (gtdescription));
 				}
 				else
 					strcpy(gtdescription, "");
-- 
GitLab