zakarya/puzzles
1
0
Fork 0
mirror of git://git.tartarus.org/simon/puzzles.git synced 2025-04-21 16:05:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

Limit width and height to SHRT_MAX in Mines

Browse Source 
Mines' "struct set" stores co-ordinates within the grid in a pair of
shorts, which leads to very bad behaviour (including heap-based buffer
overruns) if the grid is bigger than SHRT_MAX in either dimension.  So
now we don't allow that.

The overrun can be demonstrated by loading this save file, though the
precise crash is quite variable.  In particular, you seem to get
better crashes if the file doesn't have a trailing newline.

SAVEFILE:41:Simon Tatham's Portable Puzzle Collection
PARAMS  :5:06000
CPARAMS :7:6x60000
NSTATES :1:3
STATEPOS:1:2
MOVE    :5:C0,00
GAME    :5:Mines
DESC    :22:r8,u,00000000000000000
MOVE    ::
This commit is contained in:
Ben Harris
2023-01-28 22:27:21 +00:00
parent ae73ad76ef
commit c0e08f3087
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
mines.c
View File

@ -263,6 +263,8 @@ static const char *validate_params(const game_params *params, bool full)
return "Width and height must both be greater than two"; return "Width and height must both be greater than two";
if (params->w < 1 || params->h < 1) if (params->w < 1 || params->h < 1)
return "Width and height must both be at least one"; return "Width and height must both be at least one";
if (params->w > SHRT_MAX || params->h > SHRT_MAX)
return "Neither width nor height may be unreasonably large";
if (params->w > INT_MAX / params->h) if (params->w > INT_MAX / params->h)
return "Width times height must not be unreasonably large"; return "Width times height must not be unreasonably large";
if (params->n < 0) if (params->n < 0)