From 942d883d9bf86f4240dc7ec22b726d64f6db9af2 Mon Sep 17 00:00:00 2001 From: Ben Harris Date: Sun, 8 Jan 2023 10:20:26 +0000 Subject: Range-check normal moves in Undead Normal moves shouldn't be allowed to write outside the board. This buffer overrun can be demonstrated by building Undead with AddressSanitizer and loading this save file: SAVEFILE:41:Simon Tatham's Portable Puzzle Collection VERSION :1:1 GAME :6:Undead PARAMS :5:4x4dn CPARAMS :5:4x4dn DESC :48:5,0,5,cRRaLRcLRc,0,2,1,3,1,0,0,3,4,3,2,3,4,2,1,1 NSTATES :1:2 STATEPOS:1:2 MOVE :3:Z10 --- undead.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/undead.c b/undead.c index 9c6b6fb..f729577 100644 --- a/undead.c +++ b/undead.c @@ -2084,6 +2084,7 @@ static game_state *execute_move(const game_state *state, const char *move) c == 'g' || c == 'v' || c == 'z') { move++; sscanf(move, "%d%n", &x, &n); + if (x < 0 || x >= ret->common->num_total) goto badmove; if (c == 'G') ret->guess[x] = 1; if (c == 'V') ret->guess[x] = 2; if (c == 'Z') ret->guess[x] = 4; @@ -2109,6 +2110,7 @@ static game_state *execute_move(const game_state *state, const char *move) move++; } else { /* Unknown move type. */ + badmove: free_game(ret); return NULL; } -- cgit v1.1