From 3939966a7f07dc3d33d54de61193110da34a86f3 Mon Sep 17 00:00:00 2001
From: James R <justsomejames2@gmail.com>
Date: Mon, 20 May 2024 16:40:23 -0700
Subject: [PATCH] Fix saycmd message buffer handling

- Properly bounds check say_pak
- Fix off-by-one read in Got_Saycmd
---
 src/d_clisrv.c |  3 +--
 src/d_clisrv.h |  2 +-
 src/hu_stuff.c | 18 ++++++++----------
 3 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/src/d_clisrv.c b/src/d_clisrv.c
index c4eafdf032..c3c54ea99d 100644
--- a/src/d_clisrv.c
+++ b/src/d_clisrv.c
@@ -4727,8 +4727,7 @@ static void PT_Say(int node)
 
 	{
 		size_t i;
-		const size_t j = strlen(say.message);
-		for (i = 0; i < j; i++)
+		for (i = 0; i < sizeof say.message && say.message[i]; i++)
 		{
 			if (say.message[i] & 0x80)
 			{
diff --git a/src/d_clisrv.h b/src/d_clisrv.h
index dc80c059e0..64a75744ee 100644
--- a/src/d_clisrv.h
+++ b/src/d_clisrv.h
@@ -395,7 +395,7 @@ struct resultsall_pak
 
 struct say_pak
 {
-	char message[HU_MAXMSGLEN + 1];
+	char message[HU_MAXMSGLEN];
 	UINT8 target;
 	UINT8 flags;
 	UINT8 source;
diff --git a/src/hu_stuff.c b/src/hu_stuff.c
index 4af5b2235f..c866184b4b 100644
--- a/src/hu_stuff.c
+++ b/src/hu_stuff.c
@@ -544,8 +544,8 @@ void HU_AddChatText(const char *text, boolean playsound)
 
 void DoSayCommand(char *message, SINT8 target, UINT8 flags, UINT8 source)
 {
-	char buf[2 + HU_MAXMSGLEN + 1];
-	char *msg = &buf[3];
+	char buf[3 + HU_MAXMSGLEN];
+	char *p = buf;
 
 	// Enforce shout for the dedicated server.
 	if (dedicated && source == serverplayer && !(flags & HU_CSAY))
@@ -553,14 +553,12 @@ void DoSayCommand(char *message, SINT8 target, UINT8 flags, UINT8 source)
 		flags |= HU_SHOUT;
 	}
 
-	buf[0] = target;
-	buf[1] = flags;
-	buf[2] = source;
-	msg[0] = '\0';
-
-	strcpy(msg, message);
+	WRITESINT8(p, target);
+	WRITEUINT8(p, flags);
+	WRITEUINT8(p, source);
+	WRITESTRINGN(p, message, HU_MAXMSGLEN);
 
-	SendNetXCmd(XD_SAY, buf, strlen(msg) + 1 + msg-buf);
+	SendNetXCmd(XD_SAY, buf, p - buf);
 }
 
 /** Send a message to everyone.
@@ -690,7 +688,7 @@ static void Got_Saycmd(const UINT8 **p, INT32 playernum)
 	flags = READUINT8(*p);
 	playernum = READUINT8(*p);
 	msg = buf;
-	READSTRINGL(*p, msg, HU_MAXMSGLEN + 1);
+	READSTRINGN(*p, msg, HU_MAXMSGLEN);
 
 	//check for invalid characters (0x80 or above)
 	{
-- 
GitLab