nethack-gwaa-kiwi/nethack
1
0
Fork 0
Code Pull Requests Activity

win/curses: Check input range in menu selection fallthrough

Browse Source 
curletter is screened to be in valid range in all
other switch/case branches except in the default case,
which is fallthrough.

Add check for valid range in here also, otherwise
array might be addressed with invalid offset.

This should fix the following, found
with UBSAN and #debugfuzzer:

../win/curses/cursdial.c:1558:49: runtime error: index -154 out of bounds for type 'char [256]'
0x5f3857eff140 in menu_get_selections ../win/curses/cursdial.c:1558
0x5f3857ef78c8 in curses_display_nhmenu ../win/curses/cursdial.c:801
0x5f3857edd390 in curses_select_menu ../win/curses/cursmain.c:768
This commit is contained in:
Mika Kuoppala
2024-06-21 22:52:13 +03:00
committed by PatR
parent 54138bbbe3
commit 238d501cce
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
win/curses/cursdial.c
View File

@@ -1555,7 +1555,8 @@ menu_get_selections(WINDOW *win, nhmenu *menu, int how)
} }
/*FALLTHRU*/ /*FALLTHRU*/
default: default:
if (isdigit(curletter) && !selectors[curletter] if (curletter > 0 && curletter < 256
&& isdigit(curletter) && !selectors[curletter]
&& !groupaccels[curletter]) { && !groupaccels[curletter]) {
count = curses_get_count(curletter); count = curses_get_count(curletter);
/* after count, we know some non-digit is already pending */ /* after count, we know some non-digit is already pending */