From 0a7c531e8f4c1970662f7c30aea006e65d5ff010 Mon Sep 17 00:00:00 2001 From: Ben Harris Date: Mon, 13 Feb 2023 10:04:47 +0000 Subject: [PATCH] Undead: check the return value of sscanf() in execute_move() sscanf() assigns its output in order, so if a conversion specifier fails to match, a later "%n" specifier will also not get its result assigned. In Undead's execute_move(), this led to the result of "%n" being used without being initialised. That could cause it to try to parse arbitrary memory as part of the move string, which shouldn't be a security problem (since execute_move() handles untrusted input anyway), but could lead to a crash and certainly wasn't helpful. --- undead.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/undead.c b/undead.c index 40339ae..6feca64 100644 --- a/undead.c +++ b/undead.c @@ -2083,7 +2083,7 @@ static game_state *execute_move(const game_state *state, const char *move) } else if (c == 'G' || c == 'V' || c == 'Z' || c == 'E' || c == 'g' || c == 'v' || c == 'z') { move++; - sscanf(move, "%d%n", &x, &n); + if (sscanf(move, "%d%n", &x, &n) != 1) goto badmove; if (x < 0 || x >= ret->common->num_total) goto badmove; if (c == 'G') ret->guess[x] = 1; if (c == 'V') ret->guess[x] = 2;