From a07de2b816b2a6d7b25bffefd1239db80d85f6d7 Mon Sep 17 00:00:00 2001 From: mrg Date: Tue, 1 Oct 2002 14:18:57 +0000 Subject: - use correctly bounded strings when reloading a saved game. in particular, do not let the save game file "string length" exceed the amount of space supplied. as noted by on bugtraq. - minor KNF. tested by simonb. --- rogue/inventory.c | 12 ++++++------ rogue/message.c | 6 +++--- rogue/rogue.h | 12 +++++++----- rogue/save.c | 29 ++++++++++++++++------------- 4 files changed, 32 insertions(+), 27 deletions(-) (limited to 'rogue') diff --git a/rogue/inventory.c b/rogue/inventory.c index 1293765d..ed0f9337 100644 --- a/rogue/inventory.c +++ b/rogue/inventory.c @@ -1,4 +1,4 @@ -/* $NetBSD: inventory.c,v 1.7 2002/07/07 09:35:08 tron Exp $ */ +/* $NetBSD: inventory.c,v 1.8 2002/10/01 14:18:57 mrg Exp $ */ /* * Copyright (c) 1988, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)inventory.c 8.1 (Berkeley) 5/31/93"; #else -__RCSID("$NetBSD: inventory.c,v 1.7 2002/07/07 09:35:08 tron Exp $"); +__RCSID("$NetBSD: inventory.c,v 1.8 2002/10/01 14:18:57 mrg Exp $"); #endif #endif /* not lint */ @@ -421,14 +421,14 @@ void mix_colors() { short i, j, k; - char *t; + char t[MAX_ID_TITLE_LEN]; for (i = 0; i <= 32; i++) { j = get_rand(0, (POTIONS - 1)); k = get_rand(0, (POTIONS - 1)); - t = id_potions[j].title; - id_potions[j].title = id_potions[k].title; - id_potions[k].title = t; + memcpy(t, id_potions[j].title, MAX_ID_TITLE_LEN); + memcpy(id_potions[j].title, id_potions[k].title, MAX_ID_TITLE_LEN); + memcpy(id_potions[k].title, t, MAX_ID_TITLE_LEN); } } diff --git a/rogue/message.c b/rogue/message.c index 17af007c..20d4e3da 100644 --- a/rogue/message.c +++ b/rogue/message.c @@ -1,4 +1,4 @@ -/* $NetBSD: message.c,v 1.8 2000/07/10 10:19:27 itojun Exp $ */ +/* $NetBSD: message.c,v 1.9 2002/10/01 14:18:57 mrg Exp $ */ /* * Copyright (c) 1988, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)message.c 8.1 (Berkeley) 5/31/93"; #else -__RCSID("$NetBSD: message.c,v 1.8 2000/07/10 10:19:27 itojun Exp $"); +__RCSID("$NetBSD: message.c,v 1.9 2002/10/01 14:18:57 mrg Exp $"); #endif #endif /* not lint */ @@ -64,7 +64,7 @@ __RCSID("$NetBSD: message.c,v 1.8 2000/07/10 10:19:27 itojun Exp $"); char msgs[NMESSAGES][DCOLS] = {"", "", "", "", ""}; short msg_col = 0, imsg = -1; boolean msg_cleared = 1, rmsg = 0; -char hunger_str[8] = ""; +char hunger_str[HUNGER_STR_LEN] = ""; const char *more = "-more-"; void diff --git a/rogue/rogue.h b/rogue/rogue.h index ec67cc76..67d104a5 100644 --- a/rogue/rogue.h +++ b/rogue/rogue.h @@ -1,4 +1,4 @@ -/* $NetBSD: rogue.h,v 1.12 2001/02/05 01:04:25 christos Exp $ */ +/* $NetBSD: rogue.h,v 1.13 2002/10/01 14:18:57 mrg Exp $ */ /* * Copyright (c) 1988, 1993 @@ -192,9 +192,10 @@ #define MAX_OPT_LEN 40 +#define MAX_ID_TITLE_LEN 64 struct id { short value; - char *title; + char title[MAX_ID_TITLE_LEN]; char *real; unsigned short id_status; }; @@ -658,7 +659,7 @@ int rand_percent __P((int)); void rand_place __P((object *)); void read_pack __P((object *, FILE *, boolean)); void read_scroll __P((void)); -void read_string __P((char *, FILE *)); +void read_string __P((char *, FILE *, size_t)); void recursive_deadend __P((short, const short *, short, short)); boolean reg_move __P((void)); void relight __P((void)); @@ -763,8 +764,9 @@ extern boolean sustain_strength; extern boolean trap_door; extern boolean wizard; extern char hit_message[]; -extern char hunger_str[]; -extern char login_name[]; +#define HUNGER_STR_LEN 8 +extern char hunger_str[HUNGER_STR_LEN]; +extern char login_name[MAX_OPT_LEN]; extern const char *byebye_string; extern const char *curse_message; extern const char *error_file; diff --git a/rogue/save.c b/rogue/save.c index 8c38a4d4..27e97c32 100644 --- a/rogue/save.c +++ b/rogue/save.c @@ -1,4 +1,4 @@ -/* $NetBSD: save.c,v 1.7 1999/09/18 19:38:54 jsm Exp $ */ +/* $NetBSD: save.c,v 1.8 2002/10/01 14:18:58 mrg Exp $ */ /* * Copyright (c) 1988, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)save.c 8.1 (Berkeley) 5/31/93"; #else -__RCSID("$NetBSD: save.c,v 1.7 1999/09/18 19:38:54 jsm Exp $"); +__RCSID("$NetBSD: save.c,v 1.8 2002/10/01 14:18:58 mrg Exp $"); #endif #endif /* not lint */ @@ -102,8 +102,8 @@ save_into_file(sfile) } } } - if ( ((fp = fopen(sfile, "w")) == NULL) || - ((file_id = md_get_file_id(sfile)) == -1)) { + if (((fp = fopen(sfile, "w")) == NULL) || + ((file_id = md_get_file_id(sfile)) == -1)) { message("problem accessing the save file", 0); return; } @@ -166,8 +166,8 @@ restore(fname) int new_file_id, saved_file_id; fp = NULL; - if ( ((new_file_id = md_get_file_id(fname)) == -1) || - ((fp = fopen(fname, "r")) == NULL)) { + if (((new_file_id = md_get_file_id(fname)) == -1) || + ((fp = fopen(fname, "r")) == NULL)) { clean_up("cannot open file"); } if (md_link_count(fname) > 1) { @@ -177,10 +177,10 @@ restore(fname) r_read(fp, (char *) &detect_monster, sizeof(detect_monster)); r_read(fp, (char *) &cur_level, sizeof(cur_level)); r_read(fp, (char *) &max_level, sizeof(max_level)); - read_string(hunger_str, fp); + read_string(hunger_str, fp, sizeof hunger_str); - (void) strcpy(tbuf, login_name); - read_string(login_name, fp); + (void) strlcpy(tbuf, login_name, sizeof tbuf); + read_string(login_name, fp, sizeof login_name); if (strcmp(tbuf, login_name)) { clean_up("you're not the original player"); } @@ -269,9 +269,9 @@ read_pack(pack, fp, is_rogue) *new_obj = read_obj; if (is_rogue) { if (new_obj->in_use_flags & BEING_WORN) { - do_wear(new_obj); + do_wear(new_obj); } else if (new_obj->in_use_flags & BEING_WIELDED) { - do_wield(new_obj); + do_wield(new_obj); } else if (new_obj->in_use_flags & (ON_EITHER_HAND)) { do_put_on(new_obj, ((new_obj->in_use_flags & ON_LEFT_HAND) ? 1 : 0)); @@ -326,7 +326,7 @@ rw_id(id_table, fp, n, wr) r_read(fp, (char *) &(id_table[i].value), sizeof(short)); r_read(fp, (char *) &(id_table[i].id_status), sizeof(unsigned short)); - read_string(id_table[i].title, fp); + read_string(id_table[i].title, fp, MAX_ID_TITLE_LEN); } } } @@ -345,13 +345,16 @@ write_string(s, fp) } void -read_string(s, fp) +read_string(s, fp, len) char *s; FILE *fp; + size_t len; { short n; r_read(fp, (char *) &n, sizeof(short)); + if (n > len) + clean_up("read_string: corrupt game file"); r_read(fp, s, n); xxxx(s, n); } -- cgit v1.2.3-56-ge451