From d8bc1d48404a4b9487e12764de024eb5e435c77a Mon Sep 17 00:00:00 2001 From: drochner Date: Thu, 1 Jun 2006 16:12:27 +0000 Subject: Better check data read from tetris.scores before use as array indices etc. This is CVE-2006-1539, files against Gentoo Linux, the patch is from Gentoo. A standard NetBSD installation is not as much risk because tetris is sgid "games", and users shouldn't be in that group. --- tetris/scores.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'tetris') diff --git a/tetris/scores.c b/tetris/scores.c index bf18aa98..d215261c 100644 --- a/tetris/scores.c +++ b/tetris/scores.c @@ -1,4 +1,4 @@ -/* $NetBSD: scores.c,v 1.13 2004/01/27 20:30:30 jsm Exp $ */ +/* $NetBSD: scores.c,v 1.14 2006/06/01 16:12:27 drochner Exp $ */ /*- * Copyright (c) 1992, 1993 @@ -334,7 +334,8 @@ checkscores(hs, num) continue; } } - levelfound[sp->hs_level] = 1; + if (sp->hs_level < NLEVELS && sp->hs_level >= 0) + levelfound[sp->hs_level] = 1; i++, sp++; } return (num > MAXHISCORES ? MAXHISCORES : num); @@ -373,12 +374,14 @@ showscores(level) for (i = MINLEVEL; i < NLEVELS; i++) levelfound[i] = 0; for (i = 0, sp = scores; i < nscores; i++, sp++) { - if (levelfound[sp->hs_level]) - sp->hs_time = 0; - else { - sp->hs_time = 1; - levelfound[sp->hs_level] = 1; - } + if (sp->hs_level < NLEVELS && sp->hs_level >= 0) { + if (levelfound[sp->hs_level]) + sp->hs_time = 0; + else { + sp->hs_time = 1; + levelfound[sp->hs_level] = 1; + } + } } /* @@ -432,7 +435,7 @@ printem(level, offset, hs, n, me) continue; } sp = &hs[item]; - (void)sprintf(buf, + (void)snprintf(buf, sizeof(buf), "%3d%c %6d %-11s (%6d on %d)", item + offset, sp->hs_time ? '*' : ' ', sp->hs_score * sp->hs_level, -- cgit v1.2.3-56-ge451