diff --git a/doc/fixes36.5 b/doc/fixes36.5 index e4bfd7949..9085747ab 100644 --- a/doc/fixes36.5 +++ b/doc/fixes36.5 @@ -1,14 +1,16 @@ -$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.0 $ $NHDT-Date: 1576705788 2019/12/18 21:49:48 $ +$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.3 $ $NHDT-Date: 1578996303 2020/01/14 10:05:03 $ + +fixes36.5 contains a terse summary of changes made to 3.6.4 in order to +produce 3.6.5 as well as any post-release fixes in binaries. -This fixes36.5 file is here to capture information about updates in the 3.6.x -lineage following the release of 3.6.4 in December 2019. Please note, however, -that another 3.6.x release is not anticipated, and most developer -focus will shift to the next major release. General Fixes and Modified Features ----------------------------------- have string_for_opt() return empty_optstr on failure -ensure existing callers of string_for_opt() check the return value before using it +ensure existing callers of string_for_opt() check return value before using it +fix potential buffer overflow in add_menu_coloring() +fix potential buffer overflow in sym_val() +fix potential buffer overflow in pline(), raw_printf(), and config_error_add() Fixes to Post-3.6.4 Problems that Were Exposed Via git Repository @@ -22,12 +24,5 @@ Windows OPTIONS=map_mode:fit_to_screen could cause a game start failure General New Features -------------------- - - -NetHack Community Patches (or Variation) Included -------------------------------------------------- - - -Code Cleanup and Reorganization -------------------------------- +none diff --git a/src/options.c b/src/options.c index 321041513..421f9b9f5 100644 --- a/src/options.c +++ b/src/options.c @@ -1,4 +1,4 @@ -/* NetHack 3.7 options.c $NHDT-Date: 1577050473 2019/12/22 21:34:33 $ $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.422 $ */ +/* NetHack 3.7 options.c $NHDT-Date: 1578996303 2020/01/14 10:05:03 $ $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.396 $ */ /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */ /*-Copyright (c) Michael Allison, 2008. */ /* NetHack may be freely redistributed. See license for details. */ @@ -42,7 +42,7 @@ enum window_option_types { #define PILE_LIMIT_DFLT 5 -static char empty_optstr[] = {0}; +static char empty_optstr[] = { '\0' }; /* * NOTE: If you add (or delete) an option, please update the short @@ -929,8 +929,8 @@ int maxlen; */ static void escapes(cp, tp) -const char *cp; -char *tp; +const char *cp; /* might be 'tp', updating in place */ +char *tp; /* result is never longer than 'cp' */ { static NEARDATA const char oct[] = "01234567", dec[] = "0123456789", hex[] = "00112233445566778899aAbBcCdDeEfF"; @@ -1808,15 +1808,16 @@ int c, a; /* parse '"regex_string"=color&attr' and add it to menucoloring */ boolean add_menu_coloring(tmpstr) -char *tmpstr; +char *tmpstr; /* never Null but could be empty */ { int c = NO_COLOR, a = ATR_NONE; char *tmps, *cs, *amp; char str[BUFSZ]; - Sprintf(str, "%s", tmpstr); + (void) strncpy(str, tmpstr, sizeof str - 1); + str[sizeof str - 1] = '\0'; - if (!tmpstr || (cs = index(str, '=')) == 0) { + if ((cs = index(str, '=')) == 0) { config_error_add("Malformed MENUCOLOR"); return FALSE; } @@ -2507,7 +2508,8 @@ boolean tinitial, tfrom_file; config_error_add("Unknown %s parameter '%s'", fullname, opts); return FALSE; } - if (opttype > 0 && (op = string_for_opt(opts, FALSE)) != empty_optstr) { + if (opttype > 0 + && (op = string_for_opt(opts, FALSE)) != empty_optstr) { wc_set_font_name(opttype, op); #ifdef MAC set_font_name(opttype, op); @@ -2607,7 +2609,6 @@ boolean tinitial, tfrom_file; if (match_optname(opts, "fruit", 2, TRUE)) { struct fruit *forig = 0; - char empty_str = '\0'; if (duplicate) complain_about_duplicate(opts, 1); @@ -2622,7 +2623,7 @@ boolean tinitial, tfrom_file; } if (op == empty_optstr) return FALSE; - /* stripped leading and trailing spaces, condensed internal ones in 3.6.2 */ + /* strip leading/trailing spaces, condense internal ones (3.6.2) */ mungspaces(op); if (!g.opt_initial) { struct fruit *f; @@ -3081,7 +3082,8 @@ boolean tinitial, tfrom_file; if (duplicate) complain_about_duplicate(opts, 1); op = string_for_opt(opts, negated); - if ((negated && op == empty_optstr) || (!negated && op != empty_optstr)) + if ((negated && op == empty_optstr) + || (!negated && op != empty_optstr)) flags.pile_limit = negated ? 0 : atoi(op); else if (negated) { bad_negation(fullname, TRUE); @@ -3180,7 +3182,8 @@ boolean tinitial, tfrom_file; } /* "disclose" without a value means "all with prompting" and negated means "none without prompting" */ - if (op == empty_optstr || !strcmpi(op, "all") || !strcmpi(op, "none")) { + if (op == empty_optstr + || !strcmpi(op, "all") || !strcmpi(op, "none")) { if (op != empty_optstr && !strcmpi(op, "none")) negated = TRUE; for (num = 0; num < NUM_DISCLOSURE_OPTIONS; num++) @@ -3453,7 +3456,8 @@ boolean tinitial, tfrom_file; if (duplicate) complain_about_duplicate(opts, 1); op = string_for_opt(opts, negated); - if ((negated && op == empty_optstr) || (!negated && op != empty_optstr)) { + if ((negated && op == empty_optstr) + || (!negated && op != empty_optstr)) { iflags.wc_scroll_amount = negated ? 1 : atoi(op); } else if (negated) { bad_negation(fullname, TRUE); @@ -3469,7 +3473,8 @@ boolean tinitial, tfrom_file; if (duplicate) complain_about_duplicate(opts, 1); op = string_for_opt(opts, negated); - if ((negated && op == empty_optstr) || (!negated && op != empty_optstr)) { + if ((negated && op == empty_optstr) + || (!negated && op != empty_optstr)) { iflags.wc_scroll_margin = negated ? 5 : atoi(op); } else if (negated) { bad_negation(fullname, TRUE); @@ -3504,7 +3509,8 @@ boolean tinitial, tfrom_file; if (duplicate) complain_about_duplicate(opts, 1); op = string_for_opt(opts, negated); - if ((negated && op == empty_optstr) || (!negated && op != empty_optstr)) { + if ((negated && op == empty_optstr) + || (!negated && op != empty_optstr)) { iflags.wc_tile_width = negated ? 0 : atoi(op); } else if (negated) { bad_negation(fullname, TRUE); @@ -3533,7 +3539,8 @@ boolean tinitial, tfrom_file; if (duplicate) complain_about_duplicate(opts, 1); op = string_for_opt(opts, negated); - if ((negated && op == empty_optstr) || (!negated && op != empty_optstr)) { + if ((negated && op == empty_optstr) + || (!negated && op != empty_optstr)) { iflags.wc_tile_height = negated ? 0 : atoi(op); } else if (negated) { bad_negation(fullname, TRUE); @@ -3549,7 +3556,8 @@ boolean tinitial, tfrom_file; if (duplicate) complain_about_duplicate(opts, 1); op = string_for_opt(opts, negated); - if ((negated && op == empty_optstr) || (!negated && op != empty_optstr)) { + if ((negated && op == empty_optstr) + || (!negated && op != empty_optstr)) { iflags.wc_vary_msgcount = negated ? 0 : atoi(op); } else if (negated) { bad_negation(fullname, TRUE); @@ -3650,7 +3658,7 @@ boolean tinitial, tfrom_file; bad_negation(fullname, FALSE); retval = FALSE; - /* this just checks atol() sanity, not logical window size sanity */ + /* just checks atol() sanity, not logical window size sanity */ } else if (ltmp <= 0L || ltmp >= (long) LARGEST_INT) { config_error_add("Invalid %s: %ld", fullname, ltmp); retval = FALSE; @@ -6132,9 +6140,9 @@ char *buf; int sym_val(strval) -const char *strval; +const char *strval; /* up to 4*BUFSZ-1 long; only first few chars matter */ { - char buf[QBUFSZ]; + char buf[QBUFSZ], tmp[QBUFSZ]; /* to hold trucated copy of 'strval' */ buf[0] = '\0'; if (!strval[0] || !strval[1]) { /* empty, or single character */ @@ -6155,7 +6163,7 @@ const char *strval; /* not simple quote or basic backslash; strip closing quote and let escapes() deal with it */ } else { - char *p, tmp[QBUFSZ]; + char *p; (void) strncpy(tmp, strval + 1, sizeof tmp - 1); tmp[sizeof tmp - 1] = '\0'; @@ -6164,8 +6172,11 @@ const char *strval; escapes(tmp, buf); } /* else buf[0] stays '\0' */ } - } else /* not lone char nor single quote */ - escapes(strval, buf); + } else { /* not lone char nor single quote */ + (void) strncpy(tmp, strval + 1, sizeof tmp - 1); + tmp[sizeof tmp - 1] = '\0'; + escapes(tmp, buf); + } return (int) *buf; } diff --git a/src/pline.c b/src/pline.c index 7eee2585f..4bf141950 100644 --- a/src/pline.c +++ b/src/pline.c @@ -6,6 +6,10 @@ #define NEED_VARARGS /* Uses ... */ /* comment line for pre-compiled headers */ #include "hack.h" +#define BIGBUFSZ (5 * BUFSZ) /* big enough to format a 4*BUFSZ string (from + * config file parsing) with modest decoration; + * result will then be truncated to BUFSZ-1 */ + static void FDECL(putmesg, (const char *)); static char *FDECL(You_buf, (int)); #if defined(MSGHANDLER) && (defined(POSIX_TYPES) || defined(__GNUC__)) @@ -114,7 +118,7 @@ VA_DECL(const char *, line) #endif /* USE_STDARG | USE_VARARG */ { /* start of vpline() or of nested block in USE_OLDARG's pline() */ static int in_pline = 0; - char pbuf[3 * BUFSZ]; + char pbuf[BIGBUFSZ]; /* will get chopped down to BUFSZ-1 if longer */ int ln; int msgtyp; boolean no_repeat; @@ -435,15 +439,14 @@ void raw_printf VA_DECL(const char *, line) #endif { - char pbuf[3 * BUFSZ]; - int ln; + char pbuf[BIGBUFSZ]; /* will be chopped down to BUFSZ-1 if longer */ /* Do NOT use VA_START and VA_END in here... see above */ if (index(line, '%')) { Vsprintf(pbuf, line, VA_ARGS); line = pbuf; } - if ((ln = (int) strlen(line)) > BUFSZ - 1) { + if ((int) strlen(line) > BUFSZ - 1) { if (line != pbuf) line = strncpy(pbuf, line, BUFSZ - 1); /* unlike pline, we don't futz around to keep last few chars */ @@ -462,7 +465,7 @@ VA_DECL(const char *, line) void impossible VA_DECL(const char *, s) { - char pbuf[2 * BUFSZ]; + char pbuf[BIGBUFSZ]; /* will be chopped down to BUFSZ-1 if longer */ VA_START(s); VA_INIT(s, const char *); @@ -567,7 +570,7 @@ config_error_add VA_DECL(const char *, str) #endif /* ?(USE_STDARG || USE_VARARG) */ { /* start of vconf...() or of nested block in USE_OLDARG's conf...() */ - char buf[2 * BUFSZ]; + char buf[BIGBUFSZ]; /* will be chopped down to BUFSZ-1 if longer */ Vsprintf(buf, str, VA_ARGS); buf[BUFSZ - 1] = '\0';