nethack-gwaa-kiwi/nethack
1
0
Fork 0
Code Pull Requests Activity

fix add_menu_coloring() buffer overrun

Browse Source 
Fix 'Bug 2' where too long MENUCOLOR=string in run-time config file
could overflow a local buffer and clobber the stack.

Theoretically a menu coloring regular expression could require a
bigger buffer but I don't think we need to try to support that.
255 characters minus the amount needed to specify color and/or
attributes should be ample.
This commit is contained in:
PatR
2020-01-13 19:26:53 -08:00
parent c35139e9ce
commit a842fda44c
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
doc/fixes36.5
View File

@@ -1,4 +1,4 @@
$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.1 $ $NHDT-Date: 1578971847 2020/01/14 03:17:27 $
$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.2 $ $NHDT-Date: 1578972411 2020/01/14 03:26:51 $
fixes36.5 contains a terse summary of changes made to 3.6.4 in order to
produce 3.6.5 as well as any post-release fixes in binaries.
@@ -8,6 +8,7 @@ General Fixes and Modified Features
-----------------------------------
have string_for_opt() return empty_optstr on failure
ensure existing callers of string_for_opt() check return value before using it
fix potential buffer overflow in add_menu_coloring()
Fixes to Post-3.6.4 Problems that Were Exposed Via git Repository

9
src/options.c
View File

@@ -1,4 +1,4 @@
/* NetHack 3.6 options.c $NHDT-Date: 1578971391 2020/01/14 03:09:51 $ $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.394 $ */
/* NetHack 3.6 options.c $NHDT-Date: 1578972408 2020/01/14 03:26:48 $ $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.395 $ */
/* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
/*-Copyright (c) Michael Allison, 2008. */
/* NetHack may be freely redistributed. See license for details. */
@@ -1833,15 +1833,16 @@ int c, a;
/* parse '"regex_string"=color&attr' and add it to menucoloring */
boolean
add_menu_coloring(tmpstr)
char *tmpstr;
char *tmpstr; /* never Null but could be empty */
{
int c = NO_COLOR, a = ATR_NONE;
char *tmps, *cs, *amp;
char str[BUFSZ];
Sprintf(str, "%s", tmpstr);
(void) strncpy(str, tmpstr, sizeof str - 1);
str[sizeof str - 1] = '\0';
if (!tmpstr || (cs = index(str, '=')) == 0) {
if ((cs = index(str, '=')) == 0) {
config_error_add("Malformed MENUCOLOR");
return FALSE;
}