Better check data read from tetris.scores before use as array indices etc.

This is CVE-2006-1539, files against Gentoo Linux, the patch is from Gentoo. A standard NetBSD installation is not as much risk because tetris is sgid "games", and users shouldn't be in that group.
author: drochner <drochner@NetBSD.org> 2006-06-01 16:12:27 +0000
committer: drochner <drochner@NetBSD.org> 2006-06-01 16:12:27 +0000
commit: d8bc1d48404a4b9487e12764de024eb5e435c77a (patch)
tree: c7ae257f0d710a1e5944dbc9c3e289cd6b9eff90 /tetris
parent: cc268dec31a1421ca85abfcbf593e18570d3e010 (diff)
download: bsdgames-darwin-d8bc1d48404a4b9487e12764de024eb5e435c77a.tar.gz
bsdgames-darwin-d8bc1d48404a4b9487e12764de024eb5e435c77a.tar.zst
bsdgames-darwin-d8bc1d48404a4b9487e12764de024eb5e435c77a.zip
1 files changed, 12 insertions, 9 deletions
diff --git a/tetris/scores.c b/tetris/scores.c
index bf18aa98..d215261c 100644
--- a/tetris/scores.c
+++ b/tetris/scores.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: scores.c,v 1.13 2004/01/27 20:30:30 jsm Exp $	*/
+/*	$NetBSD: scores.c,v 1.14 2006/06/01 16:12:27 drochner Exp $	*/
 
 /*-
  * Copyright (c) 1992, 1993
@@ -334,7 +334,8 @@ checkscores(hs, num)
 				continue;
 			}
 		}
-		levelfound[sp->hs_level] = 1;
+        if (sp->hs_level < NLEVELS && sp->hs_level >= 0)
+    		levelfound[sp->hs_level] = 1;
 		i++, sp++;
 	}
 	return (num > MAXHISCORES ? MAXHISCORES : num);
@@ -373,12 +374,14 @@ showscores(level)
 	for (i = MINLEVEL; i < NLEVELS; i++)
 		levelfound[i] = 0;
 	for (i = 0, sp = scores; i < nscores; i++, sp++) {
-		if (levelfound[sp->hs_level])
-			sp->hs_time = 0;
-		else {
-			sp->hs_time = 1;
-			levelfound[sp->hs_level] = 1;
-		}
+        if (sp->hs_level < NLEVELS && sp->hs_level >= 0) {
+    		if (levelfound[sp->hs_level])
+	    		sp->hs_time = 0;
+		    else {
+			    sp->hs_time = 1;
+		    	levelfound[sp->hs_level] = 1;
+		    }
+        }
 	}
 
 	/*
@@ -432,7 +435,7 @@ printem(level, offset, hs, n, me)
 				continue;
 			}
 			sp = &hs[item];
-			(void)sprintf(buf,
+			(void)snprintf(buf, sizeof(buf),
 			    "%3d%c %6d  %-11s (%6d on %d)",
 			    item + offset, sp->hs_time ? '*' : ' ',
 			    sp->hs_score * sp->hs_level,
author	drochner <drochner@NetBSD.org>	2006-06-01 16:12:27 +0000
committer	drochner <drochner@NetBSD.org>	2006-06-01 16:12:27 +0000
commit	d8bc1d48404a4b9487e12764de024eb5e435c77a (patch)
tree	c7ae257f0d710a1e5944dbc9c3e289cd6b9eff90 /tetris
parent	cc268dec31a1421ca85abfcbf593e18570d3e010 (diff)
download	bsdgames-darwin-d8bc1d48404a4b9487e12764de024eb5e435c77a.tar.gz bsdgames-darwin-d8bc1d48404a4b9487e12764de024eb5e435c77a.tar.zst bsdgames-darwin-d8bc1d48404a4b9487e12764de024eb5e435c77a.zip