Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Hello Teeworlds dev team,
There is an integer overflow in CMap::Load() which can lead to a buffer overflow.
CTile *pTiles = static_cast<CTile *>(mem_alloc(pTilemap->m_Width * pTilemap->m_Height * sizeof(CTile), 1));
// extract original tile data
int i = 0;
CTile *pSavedTiles = static_cast<CTile *>(m_DataFile.GetData(pTilemap->m_Data));
while(i < pTilemap->m_Width * pTilemap->m_Height)
for(unsigned Counter = 0; Counter <= pSavedTiles->m_Skip && i < pTilemap->m_Width * pTilemap->m_Height; Counter++)
pTiles[i] = *pSavedTiles;
pTiles[i++].m_Skip = 0;
pTilemap->m_Width and pTilemap->m_Height can be arbitrary integers and there is no check for an integer overflow when multiplying these integers with each other and with sizeof(CTile).
Also there is no check if mem_alloc returns NULL which can lead to a null pointer dereference.
Mans van Someren
The text was updated successfully, but these errors were encountered:
The code is located here:
Lines 58 to 73
I agree this is a security issue. Should we simply clamp pTilemap->m_Width and pTilemap->m_Height?
Sorry, something went wrong.
You could limit pTilemap->m_Width and pTilemap->m_Height so that the integer overflow cant occur or add a check after the multiplications. I suggest reading the accepted answer on this stack overflow post: https://stackoverflow.com/questions/1815367/catch-and-compute-overflow-during-multiplication-of-two-large-integers
Fix integer overflow when computing tilemap size. Fixes teeworlds#2071
Merge pull request #2076 from Dune-jr/fix-stability2
Fix integer overflow when computing tilemap size. Fixes #2071
Successfully merging a pull request may close this issue.