Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix potential buffer overflow loading config file
  • Loading branch information
PatR authored and nhmall committed Dec 17, 2019
1 parent 58241fd commit f4a840a
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 28 deletions.
21 changes: 5 additions & 16 deletions doc/fixes36.4
@@ -1,8 +1,8 @@
$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.4 $ $NHDT-Date: 1576287569 2019/12/14 01:39:29 $

This fixes36.4 file is here to capture information about updates in the 3.6.x
lineage following the release of 3.6.3 in December 2019. Hypothetical version
3.6.4 may not be released, in which case these fixes will appear in 3.7.0.
fixes36.4 contains a terse summary of changes made to 3.6.3 in order to
produce 3.6.4.

General Fixes and Modified Features
-----------------------------------
Expand All @@ -15,11 +15,7 @@ message "your knapsack can't accomodate any more items" when picking stuff up
or removing such from container was inaccurate if there was some gold
pending; vary the message rather than add more convoluted pickup code
dozen-ish assorted spelling/typo fixes in messages and source comments
flying hero could not use a hole deliberately with '>'


Fixes to Post-3.6.3 Problems that Were Exposed Via git Repository
------------------------------------------------------------------
fix potential buffer overflow when parsing run-time configuration file


Platform- and/or Interface-Specific Fixes or Features
Expand All @@ -30,13 +26,6 @@ allow run-from-removable-device on Windows

General New Features
--------------------


NetHack Community Patches (or Variation) Included
-------------------------------------------------


Code Cleanup and Reorganization
-------------------------------
none


35 changes: 23 additions & 12 deletions src/files.c
Expand Up @@ -2309,10 +2309,14 @@ char *origbuf;
int len;
boolean retval = TRUE;

while (*origbuf == ' ' || *origbuf == '\t') /* skip leading whitespace */
++origbuf; /* (caller probably already did this) */
(void) strncpy(buf, origbuf, sizeof buf - 1);
buf[sizeof buf - 1] = '\0'; /* strncpy not guaranteed to NUL terminate */
/* convert any tab to space, condense consecutive spaces into one,
remove leading and trailing spaces (exception: if there is nothing
but spaces, one of them will be kept even though it leads/trails) */
mungspaces(strcpy(buf, origbuf));
mungspaces(buf);

/* find the '=' or ':' */
bufp = find_optparam(buf);
Expand Down Expand Up @@ -3034,7 +3038,11 @@ boolean
proc_wizkit_line(buf)
char *buf;
{
struct obj *otmp = readobjnam(buf, (struct obj *) 0);
struct obj *otmp;

if (strlen(buf) >= BUFSZ)
buf[BUFSZ - 1] = '\0';
otmp = readobjnam(buf, (struct obj *) 0);

if (otmp) {
if (otmp != &zeroobj)
Expand Down Expand Up @@ -3142,22 +3150,23 @@ boolean FDECL((*proc), (char *));

/* merge now read line with previous ones, if necessary */
if (!ignoreline) {
len = (int) strlen(inbuf) + 1;
len = (int) strlen(ep) + 1; /* +1: final '\0' */
if (buf)
len += (int) strlen(buf);
len += (int) strlen(buf) + 1; /* +1: space */
tmpbuf = (char *) alloc(len);
*tmpbuf = '\0';
if (buf) {
Sprintf(tmpbuf, "%s %s", buf, inbuf);
Strcat(strcpy(tmpbuf, buf), " ");
free(buf);
} else
Strcpy(tmpbuf, inbuf);
buf = tmpbuf;
}
buf = strcat(tmpbuf, ep);
buf[sizeof inbuf - 1] = '\0';
}

if (morelines || (ignoreline && !oldline))
continue;

if (handle_config_section(ep)) {
if (handle_config_section(buf)) {
free(buf);
buf = (char *) 0;
continue;
Expand All @@ -3179,11 +3188,11 @@ boolean FDECL((*proc), (char *));
}
bufp++;
if (config_section_chosen)
free(config_section_chosen);
free(config_section_chosen), config_section_chosen = 0;
section = choose_random_part(bufp, ',');
if (section)
if (section) {
config_section_chosen = dupstr(section);
else {
} else {
config_error_add("No config section to choose");
rv = FALSE;
}
Expand Down Expand Up @@ -3300,6 +3309,8 @@ int which_set;
struct symparse *symp;
char *bufp, *commentp, *altp;

if (strlen(buf) >= BUFSZ)
buf[BUFSZ - 1] = '\0';
/* convert each instance of whitespace (tabs, consecutive spaces)
into a single space; leading and trailing spaces are stripped */
mungspaces(buf);
Expand Down

0 comments on commit f4a840a

Please sign in to comment.