Package: xjump Version: 2.7.5-6.1 Severity: normal Tags: patch Dear Maintainer,
The buffer that xjump uses to build the highscores table is too small. It only allocates 43 characters per line but the lines actually consist of 45 characters. This results in an overflow if the highscores table has the maximum number of entries (the default maximum is 20). To reproduce, compile xjump with the "-fsanitize=address" compiler option and make it so the records file has the full 20 entries in it. The address sanitizer should detect the overflow as soon as xjump launches, when it attempts to display the current highscores. I have attached a patch with a fix. It increases the size of the highscores buffer and also replaces the calls to sprintf with safe calls to snprintf; Better risk displaying an incomplete highscores table than overfow a buffer... -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing-proposed-updates'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xjump depends on: ii libc6 2.19-15 ii libx11-6 2:1.6.2-3 ii libxaw7 2:1.0.12-2+b1 ii libxpm4 1:3.5.11-1+b1 ii libxt6 1:1.1.4-1+b1 xjump recommends no packages. xjump suggests no packages. -- no debconf information
diff -urpN xjump-2.7.5.orig/main.c xjump-2.7.5.patched/main.c --- xjump-2.7.5.orig/main.c 2015-03-20 21:53:23.385830130 -0300 +++ xjump-2.7.5.patched/main.c 2015-03-20 22:40:51.261155723 -0300 @@ -58,7 +58,7 @@ static int GameMode; /* ¥â¡¼¥É (0¥¿¥¤¥È¥ static unsigned int Sc_now; -static char Score_list[43*(RECORD_ENTRY+2)+1]=""; /* ¥Ï¥¤¥¹¥³¥¢¥Æ¥¥¹¥È */ +static char Score_list[45*(RECORD_ENTRY+2)+1]=""; /* ¥Ï¥¤¥¹¥³¥¢¥Æ¥¥¹¥È */ static XKeyboardState Keyboard; /* ¥¡¼¥Ü¡¼¥É¥¹¥Æ¡¼¥¿¥¹ */ static int Repeat_mode = 1; /* ¥¡¼¥ê¥Ô¡¼¥È¤Î¾õÂÖ(1:default 0:off) */ @@ -154,9 +154,17 @@ static void make_score( void ) p += sprintf( p,"RANK FLOOR NAME\n\ ---- ---------- -------------------------------\n"); - for( i = 0 ; i < Record_entry ; i++ ) - p += sprintf( p,"%4d %10d %-20.20s\n",i+1, + for( i = 0 ; i < Record_entry ; i++ ){ + size_t space_available = sizeof(Score_list) - (p-Score_list); + int nprinted = snprintf(p, space_available,"%4d %10d %-20.20s\n",i+1, Record[i].score,Record[i].name ); + if(nprinted <= space_available){ + p += nprinted; + }else{ + p += space_available; + break; + } + } p--; *p = '\0';
1234 1000 Someone-with-a-very-long-name 1233 1001 Someone-with-a-very-long-name 1232 1002 Someone-with-a-very-long-name 1231 1003 Someone-with-a-very-long-name 1230 1004 Someone-with-a-very-long-name 1229 1005 Someone-with-a-very-long-name 1228 1006 Someone-with-a-very-long-name 1227 1007 Someone-with-a-very-long-name 1226 1008 Someone-with-a-very-long-name 1225 1009 Someone-with-a-very-long-name 1224 1010 Someone-with-a-very-long-name 1223 1011 Someone-with-a-very-long-name 1222 1012 Someone-with-a-very-long-name 1221 1013 Someone-with-a-very-long-name 1220 1014 Someone-with-a-very-long-name 1219 1015 Someone-with-a-very-long-name 1218 1016 Someone-with-a-very-long-name 1217 1017 Someone-with-a-very-long-name 1216 1018 Someone-with-a-very-long-name 1215 1019 Someone-with-a-very-long-name