[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeciv-dev
Subject:    [Freeciv-Dev] [bug #21247] fill_sprite_array() has no array bounds checks
From:       Jacob Nevins <NO-REPLY.INVALID-ADDRESS () gna ! org>
Date:       2013-11-03 14:08:48
Message-ID: 20131103-140848.sv14715.51311 () gna ! org
[Download RAW message or body]

URL:
  <http://gna.org/bugs/?21247>

                 Summary: fill_sprite_array() has no array bounds checks
                 Project: Freeciv
            Submitted by: jtn
            Submitted on: Sun Nov  3 14:08:48 2013
                Category: client
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: 
         Discussion Lock: Any
        Operating System: Any
         Planned Release: 

    _______________________________________________________

Details:

fill_sprite_array() and descendants have a pattern where they increment an
array pointer passed in a number of times and return how many times they did
it. There is no check that the array is big enough, nor any way of growing
it.

fill_sprite_array() is called from put_one_element(), which passes an array
tile_sprs[80].

It might be that this is big enough for all possible tilesets; it seems
likely, but without a detailed audit I can't say for sure.

It would be better if some idiom that will spot overflow is used. While this
code is frequently used, it is also complex, so I can't imagine the execution
overhead will be overwhelming.




    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?21247>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev
[prev in list] [next in list] [prev in thread] [next in thread]