diff --git a/doc/fixes36.4 b/doc/fixes36.4 index f1ec65af0..441dd7770 100644 --- a/doc/fixes36.4 +++ b/doc/fixes36.4 @@ -1,8 +1,8 @@ $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.4 $ $NHDT-Date: 1576287569 2019/12/14 01:39:29 $ -This fixes36.4 file is here to capture information about updates in the 3.6.x -lineage following the release of 3.6.3 in December 2019. Hypothetical version -3.6.4 may not be released, in which case these fixes will appear in 3.7.0. +fixes36.4 contains a terse summary of changes made to 3.6.3 in order to +produce 3.6.4. + General Fixes and Modified Features ----------------------------------- @@ -15,11 +15,7 @@ message "your knapsack can't accomodate any more items" when picking stuff up or removing such from container was inaccurate if there was some gold pending; vary the message rather than add more convoluted pickup code dozen-ish assorted spelling/typo fixes in messages and source comments -flying hero could not use a hole deliberately with '>' - - -Fixes to Post-3.6.3 Problems that Were Exposed Via git Repository ------------------------------------------------------------------- +fix potential buffer overflow when parsing run-time configuration file Platform- and/or Interface-Specific Fixes or Features @@ -30,13 +26,6 @@ allow run-from-removable-device on Windows General New Features -------------------- - - -NetHack Community Patches (or Variation) Included -------------------------------------------------- - - -Code Cleanup and Reorganization -------------------------------- +none diff --git a/src/files.c b/src/files.c index 7f9cf65b0..5e500ae3a 100644 --- a/src/files.c +++ b/src/files.c @@ -2309,10 +2309,14 @@ char *origbuf; int len; boolean retval = TRUE; + while (*origbuf == ' ' || *origbuf == '\t') /* skip leading whitespace */ + ++origbuf; /* (caller probably already did this) */ + (void) strncpy(buf, origbuf, sizeof buf - 1); + buf[sizeof buf - 1] = '\0'; /* strncpy not guaranteed to NUL terminate */ /* convert any tab to space, condense consecutive spaces into one, remove leading and trailing spaces (exception: if there is nothing but spaces, one of them will be kept even though it leads/trails) */ - mungspaces(strcpy(buf, origbuf)); + mungspaces(buf); /* find the '=' or ':' */ bufp = find_optparam(buf); @@ -3034,7 +3038,11 @@ boolean proc_wizkit_line(buf) char *buf; { - struct obj *otmp = readobjnam(buf, (struct obj *) 0); + struct obj *otmp; + + if (strlen(buf) >= BUFSZ) + buf[BUFSZ - 1] = '\0'; + otmp = readobjnam(buf, (struct obj *) 0); if (otmp) { if (otmp != &zeroobj) @@ -3142,22 +3150,23 @@ boolean FDECL((*proc), (char *)); /* merge now read line with previous ones, if necessary */ if (!ignoreline) { - len = (int) strlen(inbuf) + 1; + len = (int) strlen(ep) + 1; /* +1: final '\0' */ if (buf) - len += (int) strlen(buf); + len += (int) strlen(buf) + 1; /* +1: space */ tmpbuf = (char *) alloc(len); + *tmpbuf = '\0'; if (buf) { - Sprintf(tmpbuf, "%s %s", buf, inbuf); + Strcat(strcpy(tmpbuf, buf), " "); free(buf); - } else - Strcpy(tmpbuf, inbuf); - buf = tmpbuf; + } + buf = strcat(tmpbuf, ep); + buf[sizeof inbuf - 1] = '\0'; } if (morelines || (ignoreline && !oldline)) continue; - if (handle_config_section(ep)) { + if (handle_config_section(buf)) { free(buf); buf = (char *) 0; continue; @@ -3179,11 +3188,11 @@ boolean FDECL((*proc), (char *)); } bufp++; if (config_section_chosen) - free(config_section_chosen); + free(config_section_chosen), config_section_chosen = 0; section = choose_random_part(bufp, ','); - if (section) + if (section) { config_section_chosen = dupstr(section); - else { + } else { config_error_add("No config section to choose"); rv = FALSE; } @@ -3300,6 +3309,8 @@ int which_set; struct symparse *symp; char *bufp, *commentp, *altp; + if (strlen(buf) >= BUFSZ) + buf[BUFSZ - 1] = '\0'; /* convert each instance of whitespace (tabs, consecutive spaces) into a single space; leading and trailing spaces are stripped */ mungspaces(buf);