Mosaic: reject game descriptions containing bad characters

Only numbers and lower-case letters are allowed. Without this restriction, a buffer overrun is possible. To demonstrate the problem, load this save file into a build of Mosaic with AddressSanitizer: SAVEFILE:41:Simon Tatham's Portable Puzzle Collection VERSION :1:1 GAME :6:Mosaic PARAMS :7:8x8a0h1 CPARAMS :7:8x8a0h1 DESC :41:b2c3b~~2a5c6e3a55c6a5a4244e0c3a64d4b4232b NSTATES :1:1 STATEPOS:1:1
author: Ben Harris <bjh21@bjh21.me.uk> 2023-01-07 20:56:48 +0000
committer: Ben Harris <bjh21@bjh21.me.uk> 2023-01-15 16:21:37 +0000
commit: a539f38efd0d821c8325846fc879a3e46d6412bf (patch)
tree: e8d6b20f057f32392eb839eef7a7f2ae33e9b320
parent: 5279fd24b2f4a51e760bfde873fe1d29547220a6 (diff)
download: puzzles-a539f38efd0d821c8325846fc879a3e46d6412bf.zip
puzzles-a539f38efd0d821c8325846fc879a3e46d6412bf.tar.gz
puzzles-a539f38efd0d821c8325846fc879a3e46d6412bf.tar.bz2
puzzles-a539f38efd0d821c8325846fc879a3e46d6412bf.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/mosaic.c b/mosaic.c
index d07859a..4db960a 100644
--- a/mosaic.c
+++ b/mosaic.c
@@ -840,7 +840,8 @@ static const char *validate_desc(const game_params *params,
     while (*curr_desc != '\0') {
         if (*curr_desc >= 'a' && *curr_desc <= 'z') {
             length += *curr_desc - 'a';
-        }
+        } else if (*curr_desc < '0' || *curr_desc >= '9')
+            return "Invalid character in game description";
         length++;
         curr_desc++;
     }
author	Ben Harris <bjh21@bjh21.me.uk>	2023-01-07 20:56:48 +0000
committer	Ben Harris <bjh21@bjh21.me.uk>	2023-01-15 16:21:37 +0000
commit	a539f38efd0d821c8325846fc879a3e46d6412bf (patch)
tree	e8d6b20f057f32392eb839eef7a7f2ae33e9b320
parent	5279fd24b2f4a51e760bfde873fe1d29547220a6 (diff)
download	puzzles-a539f38efd0d821c8325846fc879a3e46d6412bf.zip puzzles-a539f38efd0d821c8325846fc879a3e46d6412bf.tar.gz puzzles-a539f38efd0d821c8325846fc879a3e46d6412bf.tar.bz2 puzzles-a539f38efd0d821c8325846fc879a3e46d6412bf.tar.xz