[prev in list] [next in list] [prev in thread] [next in thread]
List: freeciv-dev
Subject: [Freeciv-Dev] [bug #21247] fill_sprite_array() has no array bounds checks
From: Jacob Nevins <NO-REPLY.INVALID-ADDRESS () gna ! org>
Date: 2013-11-03 14:08:48
Message-ID: 20131103-140848.sv14715.51311 () gna ! org
[Download RAW message or body]
URL:
<http://gna.org/bugs/?21247>
Summary: fill_sprite_array() has no array bounds checks
Project: Freeciv
Submitted by: jtn
Submitted on: Sun Nov 3 14:08:48 2013
Category: client
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Assigned to: None
Originator Email:
Open/Closed: Open
Release:
Discussion Lock: Any
Operating System: Any
Planned Release:
_______________________________________________________
Details:
fill_sprite_array() and descendants have a pattern where they increment an
array pointer passed in a number of times and return how many times they did
it. There is no check that the array is big enough, nor any way of growing
it.
fill_sprite_array() is called from put_one_element(), which passes an array
tile_sprs[80].
It might be that this is big enough for all possible tilesets; it seems
likely, but without a detailed audit I can't say for sure.
It would be better if some idiom that will spot overflow is used. While this
code is frequently used, it is also complex, so I can't imagine the execution
overhead will be overwhelming.
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?21247>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic