From cebca2ca04076cfc8b580870262538c9dae9b608 Mon Sep 17 00:00:00 2001
From: rexx <67599507+r-ex@users.noreply.github.com>
Date: Sat, 8 Apr 2023 18:42:20 +0100
Subject: [PATCH] Fix security flaws in use of format strings

In all cases, the string is already formatted by the time that DrawColoredText is called, so we must make sure that an invalid format specifier cannot be placed inside the string as this can cause arbitrary memory reading and potentially crashes
---
 r5dev/vgui/vgui_debugpanel.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/r5dev/vgui/vgui_debugpanel.cpp b/r5dev/vgui/vgui_debugpanel.cpp
index 3aded7ee..5da52aeb 100644
--- a/r5dev/vgui/vgui_debugpanel.cpp
+++ b/r5dev/vgui/vgui_debugpanel.cpp
@@ -106,7 +106,7 @@ void CTextOverlay::DrawNotify(void)
 			c[3] = 255;
 		}
 		CMatSystemSurface_DrawColoredText(g_pMatSystemSurface, v_Rui_GetFontFace(),
-			m_nFontHeight, x, y, c.r(), c.g(), c.b(), c.a(), m_vNotifyText[i].m_svMessage.c_str());
+			m_nFontHeight, x, y, c.r(), c.g(), c.b(), c.a(), "%s", m_vNotifyText[i].m_svMessage.c_str());
 
 		if (IsX360())
 		{
@@ -140,7 +140,7 @@ void CTextOverlay::DrawFormat(const int x, const int y, const Color c, const cha
 		va_end(args);
 	}/////////////////////////////
 
-	CMatSystemSurface_DrawColoredText(g_pMatSystemSurface, v_Rui_GetFontFace(), m_nFontHeight, x, y, c.r(), c.g(), c.b(), c.a(), szLogbuf);
+	CMatSystemSurface_DrawColoredText(g_pMatSystemSurface, v_Rui_GetFontFace(), m_nFontHeight, x, y, c.r(), c.g(), c.b(), c.a(), "%s", szLogbuf);
 }
 
 //-----------------------------------------------------------------------------
@@ -188,7 +188,7 @@ void CTextOverlay::Con_NPrintf(void)
 	const int nWidth = cl_notify_invert_x->GetBool() ? g_nWindowRect[0] - cl_notify_offset_x->GetInt() : cl_notify_offset_x->GetInt() + m_nCon_NPrintf_Idx * m_nFontHeight;
 	const int nHeight = cl_notify_invert_y->GetBool() ? g_nWindowRect[1] - cl_notify_offset_y->GetInt() : cl_notify_offset_y->GetInt();
 
-	CMatSystemSurface_DrawColoredText(g_pMatSystemSurface, v_Rui_GetFontFace(), m_nFontHeight, nWidth, nHeight, c.r(), c.g(), c.b(), c.a(), m_szCon_NPrintf_Buf);
+	CMatSystemSurface_DrawColoredText(g_pMatSystemSurface, v_Rui_GetFontFace(), m_nFontHeight, nWidth, nHeight, c.r(), c.g(), c.b(), c.a(), "%s", m_szCon_NPrintf_Buf);
 
 	m_nCon_NPrintf_Idx = 0;
 	m_szCon_NPrintf_Buf[0] = '\0';
@@ -248,7 +248,7 @@ void CTextOverlay::DrawStreamOverlay(void) const
 	static const Color c = { 255, 255, 255, 255 };
 	
 	GetStreamOverlay(stream_overlay_mode->GetString(), szLogbuf, sizeof(szLogbuf));
-	CMatSystemSurface_DrawColoredText(g_pMatSystemSurface, v_Rui_GetFontFace(), m_nFontHeight, 20, 300, c.r(), c.g(), c.b(), c.a(), szLogbuf);
+	CMatSystemSurface_DrawColoredText(g_pMatSystemSurface, v_Rui_GetFontFace(), m_nFontHeight, 20, 300, c.r(), c.g(), c.b(), c.a(), "%s", szLogbuf);
 }
 
 //-----------------------------------------------------------------------------