ref: 942d883d9bf86f4240dc7ec22b726d64f6db9af2
parent: 4845f3e913a02417fe7a8d84c6407d40807ec0ec
author: Ben Harris <bjh21@bjh21.me.uk>
date: Sun Jan 8 05:20:26 EST 2023
Range-check normal moves in Undead Normal moves shouldn't be allowed to write outside the board. This buffer overrun can be demonstrated by building Undead with AddressSanitizer and loading this save file: SAVEFILE:41:Simon Tatham's Portable Puzzle Collection VERSION :1:1 GAME :6:Undead PARAMS :5:4x4dn CPARAMS :5:4x4dn DESC :48:5,0,5,cRRaLRcLRc,0,2,1,3,1,0,0,3,4,3,2,3,4,2,1,1 NSTATES :1:2 STATEPOS:1:2 MOVE :3:Z10
--- a/undead.c
+++ b/undead.c
@@ -2084,6 +2084,7 @@
c == 'g' || c == 'v' || c == 'z') {move++;
sscanf(move, "%d%n", &x, &n);
+ if (x < 0 || x >= ret->common->num_total) goto badmove;
if (c == 'G') ret->guess[x] = 1;
if (c == 'V') ret->guess[x] = 2;
if (c == 'Z') ret->guess[x] = 4;
@@ -2109,6 +2110,7 @@
move++;
} else {/* Unknown move type. */
+ badmove:
free_game(ret);
return NULL;
}