zakarya/puzzles
1
0
Fork 0
mirror of git://git.tartarus.org/simon/puzzles.git synced 2025-04-21 08:01:30 -07:00
Code Issues Packages Projects Releases Wiki Activity

Range-check normal moves in Undead

Browse Source 
Normal moves shouldn't be allowed to write outside the board.  This
buffer overrun can be demonstrated by building Undead with
AddressSanitizer and loading this save file:

SAVEFILE:41:Simon Tatham's Portable Puzzle Collection
VERSION :1:1
GAME    :6:Undead
PARAMS  :5:4x4dn
CPARAMS :5:4x4dn
DESC    :48:5,0,5,cRRaLRcLRc,0,2,1,3,1,0,0,3,4,3,2,3,4,2,1,1
NSTATES :1:2
STATEPOS:1:2
MOVE    :3:Z10
This commit is contained in:
Ben Harris
2023-01-08 10:20:26 +00:00
parent 4845f3e913
commit 942d883d9b
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
undead.c
View File

@ -2084,6 +2084,7 @@ static game_state *execute_move(const game_state *state, const char *move)
c == 'g' || c == 'v' || c == 'z') {
move++;
sscanf(move, "%d%n", &x, &n);
if (x < 0 || x >= ret->common->num_total) goto badmove;
if (c == 'G') ret->guess[x] = 1;
if (c == 'V') ret->guess[x] = 2;
if (c == 'Z') ret->guess[x] = 4;
@ -2109,6 +2110,7 @@ static game_state *execute_move(const game_state *state, const char *move)
move++;
} else {
/* Unknown move type. */
badmove:
free_game(ret);
return NULL;
}