From 8930e5b4426a66a081153c6b5a08fe77143d64f7 Mon Sep 17 00:00:00 2001
From: cohrs <cohrs>
Date: Mon, 10 Feb 2003 19:01:58 +0000
Subject: [PATCH] nethack -s buffer overflow fix When printing invalid player
 names in -s mode, it was possible to overflow the output buffer due to a
 missing buffer size check.  On shared Unix-like systems with executable
 stacks, this could be used as a security exploit, eg to obtain a shell
 running as user or group games. While I was at it, removed a dead block of
 "#if 0" code

---
 doc/fixes34.1 |  1 +
 src/topten.c  | 14 ++++++--------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/doc/fixes34.1 b/doc/fixes34.1
index 12ebc0e66..fef372d59 100644
--- a/doc/fixes34.1
+++ b/doc/fixes34.1
@@ -379,6 +379,7 @@ see_monsters() wasn't called when you lost the innate warning intrinsic due
 xorns sink if the drawbridge they're standing on is raised
 applying figurines to an adjacent spot over water does drowning checks
 fix sequencing of Magicbane's hit messages
+avoid buffer overflow from long or too many -s params
 
 
 Platform- and/or Interface-Specific Fixes
diff --git a/src/topten.c b/src/topten.c
index 08f80e96c..afbdfd4b2 100644
--- a/src/topten.c
+++ b/src/topten.c
@@ -788,14 +788,6 @@ char **argv;
 	if (!argv[1][2]){	/* plain "-s" */
 		argc--;
 		argv++;
-#if 0 /* uses obsolete pl_classes[] */
-	} else if (!argv[1][3] && index(pl_classes, argv[1][2])) {
-		/* may get this case instead of next accidentally,
-		 * but neither is listed in the documentation, so
-		 * anything useful that happens is a bonus anyway */
-		argv[1]++;
-		argv[1][0] = '-';
-#endif
 	} else	argv[1] += 2;
 
 	if (argc > 1 && !strcmp(argv[1], "-v")) {
@@ -857,6 +849,12 @@ char **argv;
 	    else {
 		if (playerct > 1) Strcat(pbuf, "any of ");
 		for (i = 0; i < playerct; i++) {
+		    /* stop printing players if there are too many to fit */
+		    if (strlen(pbuf) + strlen(players[i]) + 2 >= BUFSZ) {
+			if (strlen(pbuf) < BUFSZ-4) Strcat(pbuf, "...");
+			else Strcpy(pbuf+strlen(pbuf)-4, "...");
+			break;
+		    }
 		    Strcat(pbuf, players[i]);
 		    if (i < playerct-1) {
 			if (players[i][0] == '-' &&