# HG changeset patch
# User Nomad
# Date 1361046958 -7200
# Node ID 1527f66fd81ba5ce9386cc7f7b0965013e7954a9
# Parent  66db86fa4ed2da7416857b58bb8b6068742cd748
Buffer overflow in credits window

diff -r 66db86fa4ed2 -r 1527f66fd81b GUIFont.cpp
--- a/GUIFont.cpp	Sat Feb 16 22:20:51 2013 +0200
+++ b/GUIFont.cpp	Sat Feb 16 22:35:58 2013 +0200
@@ -1,4 +1,6 @@
 #include <string>
+#include <assert.h>
+
 #include "LOD.h"
 #include "GUIFont.h"
 #include "GUIWindow.h"
@@ -23,11 +25,11 @@
 
 char temp_string[2048];
 
-char pTmpBuf3[2048];
+char pTmpBuf3[10000];
 
 //----- (0044C448) --------------------------------------------------------
 GUIFont *LoadFont(const char *pFontFile, const char *pFontPalette, ...)
-	{
+{
 	
 	int pallete_index; // eax@3
 	GUIFont *pFont;
@@ -348,6 +350,8 @@
   v8 = strlen(pString);
   v9 = v8;
   v39 = v8;
+
+  assert(strlen(v6) < sizeof(pTmpBuf3));
   strcpy(pTmpBuf3, v6);
   v10 = a5;
   v11 = v35;
diff -r 66db86fa4ed2 -r 1527f66fd81b GUIWindow.cpp
--- a/GUIWindow.cpp	Sat Feb 16 22:20:51 2013 +0200
+++ b/GUIWindow.cpp	Sat Feb 16 22:35:58 2013 +0200
@@ -1796,7 +1796,6 @@
   int uWidtha; // [sp+14h] [bp+4h]@66
   int a4a; // [sp+20h] [bp+10h]@15
 
-  uNextFreeWindowID = 0;
   for (uNextFreeWindowID = 0; uNextFreeWindowID < 20; ++uNextFreeWindowID)
   {
     if (pWindowList[uNextFreeWindowID].eWindowType == WINDOW_null)
diff -r 66db86fa4ed2 -r 1527f66fd81b GUIWindow.h
--- a/GUIWindow.h	Sat Feb 16 22:20:51 2013 +0200
+++ b/GUIWindow.h	Sat Feb 16 22:35:58 2013 +0200
@@ -94,6 +94,12 @@
 #pragma pack(push, 1)
 struct GUIWindow
 {
+  inline GUIWindow()
+  {
+    pControlsHead = pControlsTail = nullptr;
+    eWindowType = WINDOW_null;
+  }
+
   GUIButton *CreateButton(unsigned int uX, unsigned int uY, unsigned int uWidth, unsigned int uHeight, int a6, int a7, 
 	         unsigned int uControlID, unsigned int uControlParam, unsigned __int8 uHotkey, const char *pName, Texture *pTextures, ...);
   void DrawFlashingInputCursor(signed int a3, int a4, struct GUIFont *a2);
diff -r 66db86fa4ed2 -r 1527f66fd81b mm7_data.h
--- a/mm7_data.h	Sat Feb 16 22:20:51 2013 +0200
+++ b/mm7_data.h	Sat Feb 16 22:35:58 2013 +0200
@@ -1372,7 +1372,7 @@
 extern int dword_5C35D4; // weak
 extern char *aAMPMNames[2];
 extern char byte_5C45AF[]; // weak
-extern char pTmpBuf3[2048];
+extern char pTmpBuf3[];
 extern char pFinalMessage[4096]; // idb
 extern char pTmpBuf[2000];
 extern char pTmpBuf2[2000];