1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From: Ben Harris <bjh21@bjh21.me.uk>
Date: Sun, 8 Jan 2023 10:20:26 +0000
Subject: [PATCH 307/389] Range-check normal moves in Undead
Origin: https://git.tartarus.org/?p=simon/puzzles.git;a=commitdiff;h=942d883d9bf86f4240dc7ec22b726d64f6db9af2
Bug-Debian: https://bugs.debian.org/1028986
Normal moves shouldn't be allowed to write outside the board. This
buffer overrun can be demonstrated by building Undead with
AddressSanitizer and loading this save file:
SAVEFILE:41:Simon Tatham's Portable Puzzle Collection
VERSION :1:1
GAME :6:Undead
PARAMS :5:4x4dn
CPARAMS :5:4x4dn
DESC :48:5,0,5,cRRaLRcLRc,0,2,1,3,1,0,0,3,4,3,2,3,4,2,1,1
NSTATES :1:2
STATEPOS:1:2
MOVE :3:Z10
undead.c | 2 ++
1 file changed, 2 insertions(+)
@@ -2060,6 +2060,7 @@ static game_state *execute_move(const ga
c == 'g' || c == 'v' || c == 'z') {
move++;
sscanf(move, "%d%n", &x, &n);
+ if (x < 0 || x >= ret->common->num_total) goto badmove;
if (c == 'G') ret->guess[x] = 1;
if (c == 'V') ret->guess[x] = 2;
if (c == 'Z') ret->guess[x] = 4;
@@ -2085,6 +2086,7 @@ static game_state *execute_move(const ga
move++;
} else {
/* Unknown move type. */
+ badmove:
free_game(ret);
return NULL;
}
|
