ref: e5717d1ba2184eb6e38b4e2a9d29dc4704aeef30
parent: 942d883d9bf86f4240dc7ec22b726d64f6db9af2
author: Ben Harris <[email protected]>
date: Sun Jan 8 06:31:36 EST 2023
Range-check record lengths when deserialising games "1999999999999999999999999999999999999999999999999999" as a record length should lead to an error, not a buffer overrun. (fun fact that was less obvious to me than it should have been: very large powers of ten are multiples of large powers of two, so that number is -1 mod 2^32) This bug can be demonstrated by building any puzzle with AddressSanitizer and then loading this save file: SAVEFILE:41:Simon Tatham's Portable Puzzle Collection VERSION :1999999999999999999999999999999999999999999999999999:1
--- a/midend.c
+++ b/midend.c
@@ -2310,7 +2310,7 @@
if (c == ':') {
break;
- } else if (c >= '0' && c <= '9') {
+ } else if (c >= '0' && c <= '9' && len < (INT_MAX - 10) / 10) {
len = (len * 10) + (c - '0');
} else {
if (started)
@@ -2704,7 +2704,7 @@
if (c == ':') {
break;
- } else if (c >= '0' && c <= '9') {
+ } else if (c >= '0' && c <= '9' && len < (INT_MAX - 10) / 10) {
len = (len * 10) + (c - '0');
} else {
if (started)