shithub: puzzles

Download patch

ref: 73c7bc090155ab8c4661feaeea9e6a6e74ee6f77
parent: d577aaecab09506988a657fa257c4d0ab85d0cd6
author: Ben Harris <[email protected]>
date: Mon Feb 13 09:31:39 EST 2023

Twiddle: don't read off the end of parameter strings ending 'm'

The overrun could be demonstrated by specifying a parameter string of
"3x3m" to a build with AddressSanitizer.

--- a/twiddle.c
+++ b/twiddle.c
@@ -124,14 +124,16 @@
     while (*string) {
 	if (*string == 'r') {
 	    ret->rowsonly = true;
+            string++;
 	} else if (*string == 'o') {
 	    ret->orientable = true;
+            string++;
 	} else if (*string == 'm') {
             string++;
 	    ret->movetarget = atoi(string);
-            while (string[1] && isdigit((unsigned char)string[1])) string++;
-	}
-	string++;
+            while (*string && isdigit((unsigned char)*string)) string++;
+	} else
+            string++;
     }
 }