diff options
| author | Simon Tatham <anakin@pobox.com> | 2023-01-22 09:30:57 +0000 |
|---|---|---|
| committer | Simon Tatham <anakin@pobox.com> | 2023-01-22 09:30:57 +0000 |
| commit | b907e278751b740da7b9dc00c0cbdb93e7498919 (patch) | |
| tree | c458059f76bb2a1d9191256dbfaa0793c79fbe60 /filling.c | |
| parent | 5cac6a09c4db2b7e05c3e8dfd8920e2cdd1b8b03 (diff) | |
| download | puzzles-b907e278751b740da7b9dc00c0cbdb93e7498919.zip puzzles-b907e278751b740da7b9dc00c0cbdb93e7498919.tar.gz puzzles-b907e278751b740da7b9dc00c0cbdb93e7498919.tar.bz2 puzzles-b907e278751b740da7b9dc00c0cbdb93e7498919.tar.xz | |
Add validate_params bounds checks in a few more games.
Ben tells me that his recent work in this area was entirely driven by
fuzzing: he added bounds checks in validate_params when the fuzzer had
managed to prove that the lack of them allowed something buggy to
happen.
It seemed worth doing an eyeball-review pass to complement that
strategy, so in this commit I've gone through and added a few more
checks that restrict the area of the grid to be less than INT_MAX.
Notable in this commit: cube.c had to do something complicated because
in the triangular-grid modes the area isn't calculated as easily as
w*h, and Range's existing check that w+h-1 < SCHAR_MAX is sufficient
to rule out w*h being overlarge _but_ should be done before w*h is
ever computed.
Diffstat (limited to 'filling.c')
| -rw-r--r-- | filling.c | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -188,6 +188,8 @@ static const char *validate_params(const game_params *params, bool full) { if (params->w < 1) return "Width must be at least one"; if (params->h < 1) return "Height must be at least one"; + if (params->w > INT_MAX / params->h) + return "Width times height must not be unreasonably large"; return NULL; } |