diff options
| author | Ben Harris <bjh21@bjh21.me.uk> | 2023-01-08 11:31:36 +0000 |
|---|---|---|
| committer | Ben Harris <bjh21@bjh21.me.uk> | 2023-01-15 16:21:37 +0000 |
| commit | e5717d1ba2184eb6e38b4e2a9d29dc4704aeef30 (patch) | |
| tree | 76bf481af08f680882666fba99110d0bc1af802c | |
| parent | 942d883d9bf86f4240dc7ec22b726d64f6db9af2 (diff) | |
| download | puzzles-e5717d1ba2184eb6e38b4e2a9d29dc4704aeef30.zip puzzles-e5717d1ba2184eb6e38b4e2a9d29dc4704aeef30.tar.gz puzzles-e5717d1ba2184eb6e38b4e2a9d29dc4704aeef30.tar.bz2 puzzles-e5717d1ba2184eb6e38b4e2a9d29dc4704aeef30.tar.xz | |
Range-check record lengths when deserialising games
"1999999999999999999999999999999999999999999999999999" as a record
length should lead to an error, not a buffer overrun.
(fun fact that was less obvious to me than it should have been: very
large powers of ten are multiples of large powers of two, so that number
is -1 mod 2^32)
This bug can be demonstrated by building any puzzle with
AddressSanitizer and then loading this save file:
SAVEFILE:41:Simon Tatham's Portable Puzzle Collection
VERSION :1999999999999999999999999999999999999999999999999999:1
| -rw-r--r-- | midend.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -2310,7 +2310,7 @@ static const char *midend_deserialise_internal( if (c == ':') { break; - } else if (c >= '0' && c <= '9') { + } else if (c >= '0' && c <= '9' && len < (INT_MAX - 10) / 10) { len = (len * 10) + (c - '0'); } else { if (started) @@ -2704,7 +2704,7 @@ const char *identify_game(char **name, if (c == ':') { break; - } else if (c >= '0' && c <= '9') { + } else if (c >= '0' && c <= '9' && len < (INT_MAX - 10) / 10) { len = (len * 10) + (c - '0'); } else { if (started) |