Re: [Freeciv-Dev] (PR#40486) S2_2: game load -> buffer overflow

[Egor Vyscrebentsov]

http://bugs.freeciv.org/Ticket/Display.html?id=40486 >

On Sun, 14 Sep 2008 03:46:25 -0700 Egor Vyscrebentsov wrote:

> S2_2, r15205.
> Loading game crashes civserver with buffer overflow.
> 
> Reason: too small buffer in player_load_vision()

Looks like a copy-paste from map_load() [where this buffer
is really enough.]

> Attached patch works for me, though I guess we need smth like
> fc_s[n]printf().

And, of course, there is my_snprintf() already...

[Side note.] Game loading looks too unsafe... /me wants
to see civserver not crashing if there is no entry while
capability is present, for example

-- 
Thanks, evyscr



___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] (PR#40486) S2_2: game load -> buffer overflow

[Egor Vyscrebentsov]

http://bugs.freeciv.org/Ticket/Display.html?id=40486 >

Good daytime!

S2_2, r15205.
Loading game crashes civserver with buffer overflow.

Reason: too small buffer in player_load_vision()

Attached patch works for me, though I guess we need smth like
fc_s[n]printf().

PS. I'm having troubles with internet connection, so I may be
unreachable for a while.

-- 
Thanks, evyscr

Index: server/savegame.c
===
--- server/savegame.c	(revision 15206)
+++ server/savegame.c	(working copy)
@@ -3018,9 +3018,9 @@
   zeroline[i]= '\0';
 
   bases_halfbyte_iterate(j) {
-char buf[16]; /* enough for sprintf() below */
+char buf[32]; /* should be enough for snprintf() below */
 
-sprintf(buf, "player%d.map_b%02d_%%03d", plrno, j);
+snprintf(buf, sizeof(buf), "player%d.map_b%02d_%%03d", plrno, j);
 
 LOAD_MAP_DATA(ch, nat_y, ptile,
   secfile_lookup_str_default(file, zeroline, buf, nat_y),
___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev