Undead: check the return value of sscanf() in execute_move()

sscanf() assigns its output in order, so if a conversion specifier fails
to match, a later "%n" specifier will also not get its result assigned.
In Undead's execute_move(), this led to the result of "%n" being used
without being initialised.  That could cause it to try to parse
arbitrary memory as part of the move string, which shouldn't be a
security problem (since execute_move() handles untrusted input anyway),
but could lead to a crash and certainly wasn't helpful.

1 files changed, 1 insertions, 1 deletions

diff --git a/undead.c b/undead.c
index 40339ae..6feca64 100644
--- a/undead.c
+++ b/undead.c
@@ -2083,7 +2083,7 @@ static game_state *execute_move(const game_state *state, const char *move)
         } else if (c == 'G' || c == 'V' || c == 'Z' || c == 'E' ||
                    c == 'g' || c == 'v' || c == 'z') {
             move++;
-            sscanf(move, "%d%n", &x, &n);
+            if (sscanf(move, "%d%n", &x, &n) != 1) goto badmove;
             if (x < 0 || x >= ret->common->num_total) goto badmove;
             if (c == 'G') ret->guess[x] = 1;
             if (c == 'V') ret->guess[x] = 2;