aboutsummaryrefslogtreecommitdiff
path: root/undead.c
diff options
context:
space:
mode:
authorBen Harris <bjh21@bjh21.me.uk>2023-01-08 10:20:26 +0000
committerBen Harris <bjh21@bjh21.me.uk>2023-01-15 16:21:37 +0000
commit942d883d9bf86f4240dc7ec22b726d64f6db9af2 (patch)
tree824083a2310a58477c2608eb8dcc5177383822fa /undead.c
parent4845f3e913a02417fe7a8d84c6407d40807ec0ec (diff)
downloadpuzzles-942d883d9bf86f4240dc7ec22b726d64f6db9af2.zip
puzzles-942d883d9bf86f4240dc7ec22b726d64f6db9af2.tar.gz
puzzles-942d883d9bf86f4240dc7ec22b726d64f6db9af2.tar.bz2
puzzles-942d883d9bf86f4240dc7ec22b726d64f6db9af2.tar.xz
Range-check normal moves in Undead
Normal moves shouldn't be allowed to write outside the board. This buffer overrun can be demonstrated by building Undead with AddressSanitizer and loading this save file: SAVEFILE:41:Simon Tatham's Portable Puzzle Collection VERSION :1:1 GAME :6:Undead PARAMS :5:4x4dn CPARAMS :5:4x4dn DESC :48:5,0,5,cRRaLRcLRc,0,2,1,3,1,0,0,3,4,3,2,3,4,2,1,1 NSTATES :1:2 STATEPOS:1:2 MOVE :3:Z10
Diffstat (limited to 'undead.c')
-rw-r--r--undead.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/undead.c b/undead.c
index 9c6b6fb..f729577 100644
--- a/undead.c
+++ b/undead.c
@@ -2084,6 +2084,7 @@ static game_state *execute_move(const game_state *state, const char *move)
c == 'g' || c == 'v' || c == 'z') {
move++;
sscanf(move, "%d%n", &x, &n);
+ if (x < 0 || x >= ret->common->num_total) goto badmove;
if (c == 'G') ret->guess[x] = 1;
if (c == 'V') ret->guess[x] = 2;
if (c == 'Z') ret->guess[x] = 4;
@@ -2109,6 +2110,7 @@ static game_state *execute_move(const game_state *state, const char *move)
move++;
} else {
/* Unknown move type. */
+ badmove:
free_game(ret);
return NULL;
}
generated by cgit v1.1 at 2026-04-24 20:56:17 +0000