ref: a539f38efd0d821c8325846fc879a3e46d6412bf
parent: 5279fd24b2f4a51e760bfde873fe1d29547220a6
author: Ben Harris <bjh21@bjh21.me.uk>
date: Sat Jan 7 15:56:48 EST 2023
Mosaic: reject game descriptions containing bad characters Only numbers and lower-case letters are allowed. Without this restriction, a buffer overrun is possible. To demonstrate the problem, load this save file into a build of Mosaic with AddressSanitizer: SAVEFILE:41:Simon Tatham's Portable Puzzle Collection VERSION :1:1 GAME :6:Mosaic PARAMS :7:8x8a0h1 CPARAMS :7:8x8a0h1 DESC :41:b2c3b~~2a5c6e3a55c6a5a4244e0c3a64d4b4232b NSTATES :1:1 STATEPOS:1:1
--- a/mosaic.c
+++ b/mosaic.c
@@ -840,7 +840,8 @@
while (*curr_desc != '\0') { if (*curr_desc >= 'a' && *curr_desc <= 'z') {length += *curr_desc - 'a';
- }
+ } else if (*curr_desc < '0' || *curr_desc >= '9')
+ return "Invalid character in game description";
length++;
curr_desc++;
}