From a539f38efd0d821c8325846fc879a3e46d6412bf Mon Sep 17 00:00:00 2001
From: Ben Harris <bjh21@bjh21.me.uk>
Date: Sat, 7 Jan 2023 20:56:48 +0000
Subject: Mosaic: reject game descriptions containing bad characters

Only numbers and lower-case letters are allowed.  Without this
restriction, a buffer overrun is possible.

To demonstrate the problem, load this save file into a build of Mosaic
with AddressSanitizer:

SAVEFILE:41:Simon Tatham's Portable Puzzle Collection
VERSION :1:1
GAME    :6:Mosaic
PARAMS  :7:8x8a0h1
CPARAMS :7:8x8a0h1
DESC    :41:b2c3b~~2a5c6e3a55c6a5a4244e0c3a64d4b4232b
NSTATES :1:1
STATEPOS:1:1
---
 mosaic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mosaic.c b/mosaic.c
index d07859a..4db960a 100644
--- a/mosaic.c
+++ b/mosaic.c
@@ -840,7 +840,8 @@ static const char *validate_desc(const game_params *params,
     while (*curr_desc != '\0') {
         if (*curr_desc >= 'a' && *curr_desc <= 'z') {
             length += *curr_desc - 'a';
-        }
+        } else if (*curr_desc < '0' || *curr_desc >= '9')
+            return "Invalid character in game description";
         length++;
         curr_desc++;
     }
-- 
cgit v1.1