random_response() buffer overflow

'sz' is the size of the buffer; 'if (count < sz) buf[count++] = c;' can fill the entire buffer, leaving count==sz, so buf[count] = '\0'; would be out of bounds. Formatting was way off. Indentation these days should be multiples of 4 spaces, never tabs.
2018-12-13 02:12:31 -08:00
parent f9beca06dc
commit cf7536b167
2 changed files with 23 additions and 25 deletions
--- a/src/cmd.c
+++ b/src/cmd.c
@@ -1,4 +1,4 @@
-/* NetHack 3.6	cmd.c	$NHDT-Date: 1544669664 2018/12/13 02:54:24 $  $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.315 $ */
+/* NetHack 3.6	cmd.c	$NHDT-Date: 1544695944 2018/12/13 10:12:24 $  $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.318 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Robert Patrick Rankin, 2013. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -4442,23 +4442,21 @@ random_response(buf, sz)
 char *buf;
 int sz;
 {
-	int count = 0;
-	while (1) {
-		char c = randomkey();
+    char c;
+    int count = 0;

-		if (c == '\n')
-			break;
-
-		if (c == '\033') {
-			count = 0;
-			break;
-		}
-
-		if (count < sz)
-			buf[count++] = c;
-	}
-
-	buf[count] = '\0';
+    for (;;) {
+        c = randomkey();
+        if (c == '\n')
+            break;
+        if (c == '\033') {
+            count = 0;
+            break;
+        }
+        if (count < sz - 1)
+            buf[count++] = c;
+    }
+    buf[count] = '\0';
 }

 int
--- a/win/win32/mhdlg.c
+++ b/win/win32/mhdlg.c
@@ -1,4 +1,4 @@
-/* NetHack 3.6	mhdlg.c	$NHDT-Date: 1432512812 2015/05/25 00:13:32 $  $NHDT-Branch: master $:$NHDT-Revision: 1.25 $ */
+/* NetHack 3.6	mhdlg.c	$NHDT-Date: 1544695946 2018/12/13 10:12:26 $  $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.30 $ */
 /* Copyright (C) 2001 by Alex Kompel 	 */
 /* NetHack may be freely redistributed.  See license for details. */

@@ -25,13 +25,13 @@ INT_PTR CALLBACK GetlinDlgProc(HWND, UINT, WPARAM, LPARAM);
 int
 mswin_getlin_window(const char *question, char *result, size_t result_size)
 {
-	if (iflags.debug_fuzzer) {
-		random_response(result, result_size);
-		if (result[0] != '\0')
-			return IDOK;
-		else 
-			return IDCANCEL;
-	}
+    if (iflags.debug_fuzzer) {
+        random_response(result, (int) result_size);
+        if (result[0] != '\0')
+            return IDOK;
+        else
+            return IDCANCEL;
+    }

    INT_PTR ret;
    struct getlin_data data;