Originally posted by [b]theultramage[/b]
http://www.eathena.ws/board/index.php?autocom=bugtracker&showbug=2996
The last fix to clif_parse_NpcStringInput() still allows a string of length 0 to be entered (or truncated the length to 0).
Crafting such a string uncovers a more serious defect - in safestrncpy().
CODE
char* safestrncpy(char* dst, const char* src, size_t n)
{
char* ret;
ret = strncpy(dst, src, n);
if( ret != NULL )
ret[n - 1] = '\';
return ret;
}
When this function receives n == 0, it will ultimately write to ret[-1], corrupting memory in front of the buffer.
This was discovered when analyzing a server crash where sd->st contained an invalid pointer. There it was found that the sd->npc_str variable is located right
after sd->st, and thus safestrncpy() in this case zeroes the topmost byte, destroying the pointer value.