<Spirit> at ~0:30 carmack said that video drivers check for early releases of glquake(?) since he wrote it with a buffer overflow for the extension strings. anyone got insight or more info on that?
<Dick> He's talking about a Com_Printf call in glquake (and quake 2, and a lot of quake/quake2-derived games)
<Dick> Where it just tries to print the entire extension list despite Com_Printf having a fairly small stack buffer that it va's shit into
<Spirit> and that really got hacked into the drivers (as giving a shorter list)?
<Dick> Yeah, most drivers have a generic "limit extension string" option for opengl
<Rick> lol :p
<Spirit> do you know what binaries the drivers check for? or how else they prevent this
<Dick> nvidia seems to have hardcoded exe name checks
<Dick> Which have failed me before
<Dick> It didn't pick up on heretic 2 and it kept crashing on startup
<Dick> So I tried to make a specific profile for the exe and limit extension strings, and it still wasn't limiting extension strings when I'd run the game. I don't know what the issue was there.
<Dick> So I ended up just disassembling it in IDA and patching it myself to turn the call to com_printf into nop's
<Spirit> Dick: nice. thanks
<LordHavoc> <Spirit> at ~0:30 carmack said that video drivers check for early releases of glquake(?) since he wrote it with a buffer overflow for the extension strings. anyone got insight or more info on that?
<Rick> they talked about it earlier
<LordHavoc> Spirit: real simple - Con_Printf has a 1024 char buffer in it, the GL_EXTENSIONS string is around 5000-8000 chars at present
<Rick> drivers do detection via process name I guess?
<Rick> nvidia at least?
<LordHavoc> Spirit: so when it does sprintf, it overwrites a huge amount of stack memory and crashes
<Rick> you were answering
<LordHavoc> Rich: yeah process name
<LordHavoc> Spirit: using snprintf fixes the crash, using a larger buffer fixes the truncated extensions string
<LordHavoc> Spirit: darkplaces uses  for all temporary char buffers (I call this MAX_INPUTLINE), including console text entry and everything else
<Rick> LordHavoc I assume you also sanely check input strings to make sure they fit
<Rick> (or use snprintf/etc)
<LordHavoc> <Rick> LordHavoc I assume you also sanely check input strings to make sure they fit
<LordHavoc> <Rick> (or use snprintf/etc)
<LordHavoc> Rick: snprintf (with intentional nul termination - remember the MSVC one doesn't necessarily put a nul at the end), strlcpy/strlcat (from BSD source code) because strncpy is trouble (no nul termination when truncating) and strncat is evil incarnate (no nul termination when truncating, no destination buffer size - the limit you provide is how many characters to copy, not dependent on how far it had to skip to get there),
<LordHavoc> Rich: to be clear the only safe string function ever created in the C language is asprintf
<Rick> oh I meant whatever equivilent
<Rick> not snprintf itself
<Rick> msvc has variants that are less dumb