fix potential buffer overflow loading config file

PatR · nhmall · commit f4a840a48f4b · 2019-12-17T14:17:55.000-05:00
diff --git a/doc/fixes36.4 b/doc/fixes36.4
@@ -1,8 +1,8 @@
 $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.4 $ $NHDT-Date: 1576287569 2019/12/14 01:39:29 $
 
-This fixes36.4 file is here to capture information about updates in the 3.6.x
-lineage following the release of 3.6.3 in December 2019.  Hypothetical version
-3.6.4 may not be released, in which case these fixes will appear in 3.7.0.
+fixes36.4 contains a terse summary of changes made to 3.6.3 in order to
+produce 3.6.4.
+ 
 
 General Fixes and Modified Features
 -----------------------------------
@@ -15,11 +15,7 @@ message "your knapsack can't accomodate any more items" when picking stuff up
 	or removing such from container was inaccurate if there was some gold
 	pending; vary the message rather than add more convoluted pickup code
 dozen-ish assorted spelling/typo fixes in messages and source comments
-flying hero could not use a hole deliberately with '>'
-
-
-Fixes to Post-3.6.3 Problems that Were Exposed Via git Repository
-------------------------------------------------------------------
+fix potential buffer overflow when parsing run-time configuration file
 
 
 Platform- and/or Interface-Specific Fixes or Features
@@ -30,13 +26,6 @@ allow run-from-removable-device on Windows
 
 General New Features
 --------------------
-
-
-NetHack Community Patches (or Variation) Included
--------------------------------------------------
-
-
-Code Cleanup and Reorganization
--------------------------------
+none
 
 
diff --git a/src/files.c b/src/files.c
@@ -2309,10 +2309,14 @@ char *origbuf;
     int len;
     boolean retval = TRUE;
 
+    while (*origbuf == ' ' || *origbuf == '\t') /* skip leading whitespace */
+        ++origbuf;                   /* (caller probably already did this) */
+    (void) strncpy(buf, origbuf, sizeof buf - 1);
+    buf[sizeof buf - 1] = '\0'; /* strncpy not guaranteed to NUL terminate */
     /* convert any tab to space, condense consecutive spaces into one,
        remove leading and trailing spaces (exception: if there is nothing
        but spaces, one of them will be kept even though it leads/trails) */
-    mungspaces(strcpy(buf, origbuf));
+    mungspaces(buf);
 
     /* find the '=' or ':' */
     bufp = find_optparam(buf);
@@ -3034,7 +3038,11 @@ boolean
 proc_wizkit_line(buf)
 char *buf;
 {
-    struct obj *otmp = readobjnam(buf, (struct obj *) 0);
+    struct obj *otmp;
+
+    if (strlen(buf) >= BUFSZ)
+        buf[BUFSZ - 1] = '\0';
+    otmp = readobjnam(buf, (struct obj *) 0);
 
     if (otmp) {
         if (otmp != &zeroobj)
@@ -3142,22 +3150,23 @@ boolean FDECL((*proc), (char *));
 
                 /* merge now read line with previous ones, if necessary */
                 if (!ignoreline) {
-                    len = (int) strlen(inbuf) + 1;
+                    len = (int) strlen(ep) + 1; /* +1: final '\0' */
                     if (buf)
-                        len += (int) strlen(buf);
+                        len += (int) strlen(buf) + 1; /* +1: space */
                     tmpbuf = (char *) alloc(len);
+                    *tmpbuf = '\0';
                     if (buf) {
-                        Sprintf(tmpbuf, "%s %s", buf, inbuf);
+                        Strcat(strcpy(tmpbuf, buf), " ");
                         free(buf);
-                    } else
-                        Strcpy(tmpbuf, inbuf);
-                    buf = tmpbuf;
+                    }
+                    buf = strcat(tmpbuf, ep);
+                    buf[sizeof inbuf - 1] = '\0';
                 }
 
                 if (morelines || (ignoreline && !oldline))
                     continue;
 
-                if (handle_config_section(ep)) {
+                if (handle_config_section(buf)) {
                     free(buf);
                     buf = (char *) 0;
                     continue;
@@ -3179,11 +3188,11 @@ boolean FDECL((*proc), (char *));
                     }
                     bufp++;
                     if (config_section_chosen)
-                        free(config_section_chosen);
+                        free(config_section_chosen), config_section_chosen = 0;
                     section = choose_random_part(bufp, ',');
-                    if (section)
+                    if (section) {
                         config_section_chosen = dupstr(section);
-                    else {
+                    } else {
                         config_error_add("No config section to choose");
                         rv = FALSE;
                     }
@@ -3300,6 +3309,8 @@ int which_set;
     struct symparse *symp;
     char *bufp, *commentp, *altp;
 
+    if (strlen(buf) >= BUFSZ)
+        buf[BUFSZ - 1] = '\0';
     /* convert each instance of whitespace (tabs, consecutive spaces)
        into a single space; leading and trailing spaces are stripped */
     mungspaces(buf);
