From a842fda44c612cd9a126c3039a575da92c6ee0f4 Mon Sep 17 00:00:00 2001 From: PatR Date: Mon, 13 Jan 2020 19:26:53 -0800 Subject: [PATCH] fix add_menu_coloring() buffer overrun Fix 'Bug 2' where too long MENUCOLOR=string in run-time config file could overflow a local buffer and clobber the stack. Theoretically a menu coloring regular expression could require a bigger buffer but I don't think we need to try to support that. 255 characters minus the amount needed to specify color and/or attributes should be ample. --- doc/fixes36.5 | 3 ++- src/options.c | 9 +++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/doc/fixes36.5 b/doc/fixes36.5 index 7ce10f270..c3cad8fe0 100644 --- a/doc/fixes36.5 +++ b/doc/fixes36.5 @@ -1,4 +1,4 @@ -$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.1 $ $NHDT-Date: 1578971847 2020/01/14 03:17:27 $ +$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.2 $ $NHDT-Date: 1578972411 2020/01/14 03:26:51 $ fixes36.5 contains a terse summary of changes made to 3.6.4 in order to produce 3.6.5 as well as any post-release fixes in binaries. @@ -8,6 +8,7 @@ General Fixes and Modified Features ----------------------------------- have string_for_opt() return empty_optstr on failure ensure existing callers of string_for_opt() check return value before using it +fix potential buffer overflow in add_menu_coloring() Fixes to Post-3.6.4 Problems that Were Exposed Via git Repository diff --git a/src/options.c b/src/options.c index b77cda435..3e2582a4e 100644 --- a/src/options.c +++ b/src/options.c @@ -1,4 +1,4 @@ -/* NetHack 3.6 options.c $NHDT-Date: 1578971391 2020/01/14 03:09:51 $ $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.394 $ */ +/* NetHack 3.6 options.c $NHDT-Date: 1578972408 2020/01/14 03:26:48 $ $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.395 $ */ /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */ /*-Copyright (c) Michael Allison, 2008. */ /* NetHack may be freely redistributed. See license for details. */ @@ -1833,15 +1833,16 @@ int c, a; /* parse '"regex_string"=color&attr' and add it to menucoloring */ boolean add_menu_coloring(tmpstr) -char *tmpstr; +char *tmpstr; /* never Null but could be empty */ { int c = NO_COLOR, a = ATR_NONE; char *tmps, *cs, *amp; char str[BUFSZ]; - Sprintf(str, "%s", tmpstr); + (void) strncpy(str, tmpstr, sizeof str - 1); + str[sizeof str - 1] = '\0'; - if (!tmpstr || (cs = index(str, '=')) == 0) { + if ((cs = index(str, '=')) == 0) { config_error_add("Malformed MENUCOLOR"); return FALSE; }