Potential buffer overflow in RecordCommand() function in bzfs module

[vien2024]

General

I spot a potential buffer overflow in the RecordCommand() function in commands.cxx file in bzfs module:
https://github.com/BZFlag-Dev/bzflag/blob/2.4/src/bzfs/commands.cxx

Description

The filename array has fixed length, user-input buffer could overflow the filename array in sscanf() due to unchecked length.

            Record::sendHelp (t);
    }
    else if (strncasecmp (buf, "save", 4) == 0)
    {
        buf = buf + 4;
        char filename[MessageLen];

        while ((*buf != '\0') && isspace (*buf)) buf++; // eat whitespace
        if (*buf == '\0')
        {
            Record::sendHelp (t);
            return true;
        }

        // get the filename
        sscanf (buf, "%s", filename); // BUFFER OVERFLOW due to unchecked size (lines 3667)

Impact

This could lead to denial of service of the program.

[blast007]

If I'm reading the other code correctly, the length of buf should always be less than MessageLen since it's a substring of another string of text from a MessageLen sized buffer.