zakarya/puzzles
1
0
Fork 0
mirror of git://git.tartarus.org/simon/puzzles.git synced 2025-04-21 08:01:30 -07:00
Code Issues Packages Projects Releases Wiki Activity

Undead: check the return value of sscanf() in execute_move()

Browse Source 
sscanf() assigns its output in order, so if a conversion specifier fails
to match, a later "%n" specifier will also not get its result assigned.
In Undead's execute_move(), this led to the result of "%n" being used
without being initialised.  That could cause it to try to parse
arbitrary memory as part of the move string, which shouldn't be a
security problem (since execute_move() handles untrusted input anyway),
but could lead to a crash and certainly wasn't helpful.
This commit is contained in:
Ben Harris
2023-02-13 10:04:47 +00:00
parent 493bf16ddb
commit 0a7c531e8f
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
undead.c
View File

@ -2083,7 +2083,7 @@ static game_state *execute_move(const game_state *state, const char *move)
} else if (c == 'G' || c == 'V' || c == 'Z' || c == 'E' ||
c == 'g' || c == 'v' || c == 'z') {
move++;
sscanf(move, "%d%n", &x, &n);
if (sscanf(move, "%d%n", &x, &n) != 1) goto badmove;
if (x < 0 || x >= ret->common->num_total) goto badmove;
if (c == 'G') ret->guess[x] = 1;
if (c == 'V') ret->guess[x] = 2;