Package: xjump
Version: 2.7.5-6.1
Severity: normal
Tags: patch
Dear Maintainer,
The buffer that xjump uses to build the highscores table is too small. It only
allocates 43 characters per line but the lines actually consist of 45
characters.
This results in an overflow if the highscores table has the maximum number of
entries (the default maximum is 20).
To reproduce, compile xjump with the "-fsanitize=address" compiler option and
make it so the records file has the full 20 entries in it.
The address sanitizer should detect the overflow as soon as xjump launches,
when it attempts to display the current highscores.
I have attached a patch with a fix. It increases the size of the highscores
buffer and also replaces the calls to sprintf with safe calls to snprintf;
Better risk displaying an incomplete highscores table than overfow a buffer...
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing-proposed-updates'),
(500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages xjump depends on:
ii libc6 2.19-15
ii libx11-6 2:1.6.2-3
ii libxaw7 2:1.0.12-2+b1
ii libxpm4 1:3.5.11-1+b1
ii libxt6 1:1.1.4-1+b1
xjump recommends no packages.
xjump suggests no packages.
-- no debconf information
diff -urpN xjump-2.7.5.orig/main.c xjump-2.7.5.patched/main.c
--- xjump-2.7.5.orig/main.c 2015-03-20 21:53:23.385830130 -0300
+++ xjump-2.7.5.patched/main.c 2015-03-20 22:40:51.261155723 -0300
@@ -58,7 +58,7 @@ static int GameMode; /* ¥â¡¼¥É (0¥¿¥¤¥È¥
static unsigned int Sc_now;
-static char Score_list[43*(RECORD_ENTRY+2)+1]=""; /* ¥Ï¥¤¥¹¥³¥¢¥Æ¥¥¹¥È */
+static char Score_list[45*(RECORD_ENTRY+2)+1]=""; /* ¥Ï¥¤¥¹¥³¥¢¥Æ¥¥¹¥È */
static XKeyboardState Keyboard; /* ¥¡¼¥Ü¡¼¥É¥¹¥Æ¡¼¥¿¥¹ */
static int Repeat_mode = 1; /* ¥¡¼¥ê¥Ô¡¼¥È¤Î¾õÂÖ(1:default 0:off) */
@@ -154,9 +154,17 @@ static void make_score( void )
p += sprintf( p,"RANK FLOOR NAME\n\
---- ---------- -------------------------------\n");
- for( i = 0 ; i < Record_entry ; i++ )
- p += sprintf( p,"%4d %10d %-20.20s\n",i+1,
+ for( i = 0 ; i < Record_entry ; i++ ){
+ size_t space_available = sizeof(Score_list) - (p-Score_list);
+ int nprinted = snprintf(p, space_available,"%4d %10d %-20.20s\n",i+1,
Record[i].score,Record[i].name );
+ if(nprinted <= space_available){
+ p += nprinted;
+ }else{
+ p += space_available;
+ break;
+ }
+ }
p--;
*p = '\0';
1234 1000 Someone-with-a-very-long-name
1233 1001 Someone-with-a-very-long-name
1232 1002 Someone-with-a-very-long-name
1231 1003 Someone-with-a-very-long-name
1230 1004 Someone-with-a-very-long-name
1229 1005 Someone-with-a-very-long-name
1228 1006 Someone-with-a-very-long-name
1227 1007 Someone-with-a-very-long-name
1226 1008 Someone-with-a-very-long-name
1225 1009 Someone-with-a-very-long-name
1224 1010 Someone-with-a-very-long-name
1223 1011 Someone-with-a-very-long-name
1222 1012 Someone-with-a-very-long-name
1221 1013 Someone-with-a-very-long-name
1220 1014 Someone-with-a-very-long-name
1219 1015 Someone-with-a-very-long-name
1218 1016 Someone-with-a-very-long-name
1217 1017 Someone-with-a-very-long-name
1216 1018 Someone-with-a-very-long-name
1215 1019 Someone-with-a-very-long-name
