shithub: puzzles

Download patch

ref: 942d883d9bf86f4240dc7ec22b726d64f6db9af2
parent: 4845f3e913a02417fe7a8d84c6407d40807ec0ec
author: Ben Harris <[email protected]>
date: Sun Jan 8 05:20:26 EST 2023

Range-check normal moves in Undead

Normal moves shouldn't be allowed to write outside the board.  This
buffer overrun can be demonstrated by building Undead with
AddressSanitizer and loading this save file:

SAVEFILE:41:Simon Tatham's Portable Puzzle Collection
VERSION :1:1
GAME    :6:Undead
PARAMS  :5:4x4dn
CPARAMS :5:4x4dn
DESC    :48:5,0,5,cRRaLRcLRc,0,2,1,3,1,0,0,3,4,3,2,3,4,2,1,1
NSTATES :1:2
STATEPOS:1:2
MOVE    :3:Z10

--- a/undead.c
+++ b/undead.c
@@ -2084,6 +2084,7 @@
                    c == 'g' || c == 'v' || c == 'z') {
             move++;
             sscanf(move, "%d%n", &x, &n);
+            if (x < 0 || x >= ret->common->num_total) goto badmove;
             if (c == 'G') ret->guess[x] = 1;
             if (c == 'V') ret->guess[x] = 2;
             if (c == 'Z') ret->guess[x] = 4;
@@ -2109,6 +2110,7 @@
             move++;
         } else {
             /* Unknown move type. */
+        badmove:
             free_game(ret);
             return NULL;
         }