nethack-gwaa-kiwi/nethack
1
0
Fork 0
Code Pull Requests Activity

fix incorrect lint fix

Browse Source 
>  if (strlen(simpleoname) > BUFSZ - sizeof "the ")
>    simpleoname[sizeof "the "] = '\0';

The second line should have been
|    simpleoname[strlen(simpleoname) - sizeof "the "] = '\0';
but fixing that isn't adequate.  The BUFSZ limit is not valid when
dealing with object names since xname() leaves room for a prefix so
doesn't return the start of a BUFSZ-sized buffer.

Strangely enough, the complaint that caused me to add those two lines
isn't being triggered any more.  Some other change at the same time,
perhaps splitting
  Strcpy(simpleoname, obufp = the(simpleoname));
into
  obufp = the(simpleoname);
  Strcpy(simpleoname, obufp);
pacified the analyzer.  However, it didn't resolve the valid complaint
that inserting "the " might result in overflow.

I've added a comment about simpleonames(), ansimpleoname(), and
thesimpleoname() about the possible overflow, but I don't think that
such overflow can actually happen when user-applied object name is
being suppressed.
This commit is contained in:
PatR
2025-01-24 14:50:53 -08:00
parent 02102de396
commit 3c824cd866
1 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/objnam.c
View File

@@ -2382,6 +2382,22 @@ Ysimple_name2(struct obj *obj)
return s;
}
/*
* FIXME:
* simpleonames(), ansimpleoname(), and thesimpleoname() need to
* know the beginning of the obuf[] they use so that they can
* guard against buffer overflow when pluralizing (is that an
* actual word?) or inserting "an" or "the".
*
* minimal_xname() returns a call to xname() which writes into
* the middle of its obuf[] then backs up to accomodate a prefix,
* so BUFSZ is not a reliable limit for the length of the result.
*
* [Overflow likely moot. Since the formatted object name has
* user-supplied name suppressed, the length is sure to be short
* enough to added plural suffix or "an" or "the" prefix.]
*/
/* "scroll" or "scrolls" */
char *
simpleonames(struct obj *obj)
@@ -2407,8 +2423,6 @@ ansimpleoname(struct obj *obj)
char *obufp, *simpleoname = simpleonames(obj);
int otyp = obj->otyp;
if (strlen(simpleoname) > BUFSZ - sizeof "the ")
simpleoname[sizeof "the "] = '\0';
/* prefix with "the" if a unique item, or a fake one imitating same,
has been formatted with its actual name (we let minimal_xname() handle
any `known' and `dknown' checking necessary) */