Re: [Freeciv-Dev] (PR#39898) Buffer overflow during autosave

Sat, 24 Nov 2007 03:38:34 -0800 

<URL: http://bugs.freeciv.org/Ticket/Display.html?id=39898 >

Thank you, loganjerry!  I wish that we had more such detailed reports.
Sounds like FORTIFY is a very useful feature!

The next line after the memcpy needs room for the terminating '\0'.  So,
now I've made the array +3, instead of +1 or +2.  And used another symbol.

I've also reorganized the array and variables, so that executables are
last, and array overruns will bang into the next variable (hopefully
causing a runtime exception).  My own personal technique, left over from
the days when that ordering was required by the compilers....

Lightly tested.

Committed S2_1 revision 14032.
Committed S2_2 revision 14033.
Committed trunk revision 14034.


Index: server/savegame.c
===================================================================
--- server/savegame.c   (revision 14031)
+++ server/savegame.c   (working copy)
@@ -3365,16 +3365,17 @@
    * Note that the "quoted" format is a multiple of 3.
    */
 #define PART_SIZE (3*256)
+#define PART_ADJUST (3)
   if (plr->attribute_block.data) {
+    char part[PART_SIZE + PART_ADJUST];
+    int parts;
+    int current_part_nr;
     char *quoted = quote_block(plr->attribute_block.data,
                               plr->attribute_block.length);
     char *quoted_at = strchr(quoted, ':');
     size_t bytes_left = strlen(quoted);
     size_t bytes_at_colon = 1 + (quoted_at - quoted);
-    size_t bytes_adjust = bytes_at_colon % 3;
-    int current_part_nr;
-    int parts;
-    char part[PART_SIZE + 1];
+    size_t bytes_adjust = bytes_at_colon % PART_ADJUST;
 
     secfile_insert_int(file, plr->attribute_block.length,
                       "player%d.attribute_v2_block_length", plrno);
@@ -3415,8 +3416,6 @@
     for (; current_part_nr < parts; current_part_nr++) {
       size_t size_of_current_part = MIN(bytes_left, PART_SIZE);
 
-      assert(bytes_left);
-
       memcpy(part, quoted_at, size_of_current_part);
       part[size_of_current_part] = '\0';
       secfile_insert_str(file, part,
@@ -3429,6 +3428,7 @@
     assert(bytes_left == 0);
     free(quoted);
   }
+#undef PART_ADJUST
 #undef PART_SIZE
 }
 

_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to