Fix potential security flaws caused by uncontrolled format strings

Make sure format strings are string literals to avoid an uncontrolled format string situation.
2025-02-09 19:15:03 +01:00 · 2023-04-08 19:10:59 +02:00 · 2023-04-08 19:10:59 +02:00 · a7cab1d891
commit a7cab1d891
parent 2c28391ca4
3 changed files with 11 additions and 11 deletions
--- a/r5dev/engine/sys_utils.cpp
+++ b/r5dev/engine/sys_utils.cpp
@ -93,7 +93,7 @@ void _Con_NPrintf(int pos, const char* fmt, ...)
 	g_pOverlay->m_nCon_NPrintf_Idx = pos;
 	snprintf(g_pOverlay->m_szCon_NPrintf_Buf,
-		sizeof(g_pOverlay->m_szCon_NPrintf_Buf), buf);
+		sizeof(g_pOverlay->m_szCon_NPrintf_Buf), "%s", buf);
 }
 #endif // !DEDICATED
--- a/r5dev/gameui/IBrowser.cpp
+++ b/r5dev/gameui/IBrowser.cpp
@ -247,7 +247,7 @@ void CBrowser::BrowserPanel(void)
    }
    ImGui::EndGroup();
-    ImGui::TextColored(ImVec4(1.00f, 0.00f, 0.00f, 1.00f), m_svServerListMessage.c_str());
+    ImGui::TextColored(ImVec4(1.00f, 0.00f, 0.00f, 1.00f), "%s", m_svServerListMessage.c_str());
    ImGui::Separator();
    int iVars = 0; // Eliminate borders around server list table.
@ -289,19 +289,19 @@ void CBrowser::BrowserPanel(void)
                || m_imServerBrowserFilter.PassFilter(pszHostPort))
            {
                ImGui::TableNextColumn();
-                ImGui::Text(pszHostName);
+                ImGui::Text("%s", pszHostName);
                ImGui::TableNextColumn();
-                ImGui::Text(pszHostMap);
+                ImGui::Text("%s", pszHostMap);
                ImGui::TableNextColumn();
-                ImGui::Text(pszPlaylist);
+                ImGui::Text("%s", pszPlaylist);
                ImGui::TableNextColumn();
-                ImGui::Text(Format("%3d/%3d", strtol(server.m_svPlayerCount.c_str(), NULL, NULL), strtol(server.m_svMaxPlayers.c_str(), NULL, NULL)).c_str());
+                ImGui::Text("%s", Format("%3d/%3d", strtol(server.m_svPlayerCount.c_str(), NULL, NULL), strtol(server.m_svMaxPlayers.c_str(), NULL, NULL)).c_str());
                ImGui::TableNextColumn();
-                ImGui::Text(pszHostPort);
+                ImGui::Text("%s", pszHostPort);
                ImGui::TableNextColumn();
                string svConnectBtn = "Connect##";
@ -419,7 +419,7 @@ void CBrowser::HiddenServersModal(void)
        ImGui::Dummy(ImVec2(ImGui::GetWindowContentRegionWidth(), 19.f)); // Place a dummy, basically making space inserting a blank element.
-        ImGui::TextColored(m_ivHiddenServerMessageColor, m_svHiddenServerRequestMessage.c_str());
+        ImGui::TextColored(m_ivHiddenServerMessageColor, "%s", m_svHiddenServerRequestMessage.c_str());
        ImGui::Separator();
        if (ImGui::Button("Connect", ImVec2(ImGui::GetWindowContentRegionWidth(), 24)))
@ -545,7 +545,7 @@ void CBrowser::HostPanel(void)
        g_pServerListManager->m_ServerVisibility = EServerVisibility_t::PUBLIC;
    }
-    ImGui::TextColored(m_HostRequestMessageColor, m_svHostRequestMessage.c_str());
+    ImGui::TextColored(m_HostRequestMessageColor, "%s", m_svHostRequestMessage.c_str());
    if (!m_svHostToken.empty())
    {
        ImGui::InputText("##ServerHost_HostToken", &m_svHostToken, ImGuiInputTextFlags_ReadOnly);
--- a/r5dev/gameui/IConsole.cpp
+++ b/r5dev/gameui/IConsole.cpp
@ -243,7 +243,7 @@ void CConsole::DrawSurface(void)
    m_Logger.m_itFilter.Draw("Filter | ", flFooterWidthReserve - 500);
    ImGui::SameLine();
-    ImGui::Text(m_szSummary);
+    ImGui::Text("%s", m_szSummary);
    ImGui::Separator();
@ -406,7 +406,7 @@ void CConsole::SuggestPanel(void)
                    ImGui::Image(hintRes.m_idIcon, ImVec2(float(hintRes.m_nWidth), float(hintRes.m_nHeight)));
                    ImGui::SameLine();
-                    ImGui::Text(cvarInfo.m_pszDesc);
+                    ImGui::Text("%s", cvarInfo.m_pszDesc);
                };
                ImGui::BeginTooltip();