bugFreeciv - Bugs: bug #21247, fill_sprite_array() has no array...

 
 
Show feedback again

bug #21247: fill_sprite_array() has no array bounds checks

Submitted by:  Jacob Nevins <jtn>
Submitted on:  Sun 03 Nov 2013 02:08:48 PM UTC  
 
Category: clientSeverity: 3 - Normal
Priority: 5 - NormalStatus: None
Assigned to: NoneOpen/Closed: Open
Release: Operating System: Any
Planned Release: 

Add a New Comment (Rich MarkupRich Markup):
   

You are not logged in

Please log in, so followups can be emailed to you.

 

Sun 03 Nov 2013 02:08:48 PM UTC, original submission:

fill_sprite_array() and descendants have a pattern where they increment an array pointer passed in a number of times and return how many times they did it. There is no check that the array is big enough, nor any way of growing it.

fill_sprite_array() is called from put_one_element(), which passes an array tile_sprs[80].

It might be that this is big enough for all possible tilesets; it seems likely, but without a detailed audit I can't say for sure.

It would be better if some idiom that will spot overflow is used. While this code is frequently used, it is also complex, so I can't imagine the execution overhead will be overwhelming.

Jacob Nevins <jtn>
Project Administrator

 

(Note: upload size limit is set to 1024 kB, after insertion of the required escape characters.)

Attach File(s):
   
   
Comment:
   

No files currently attached

 

Depends on the following items: None found

Items that depend on this one: None found

 

Carbon-Copy List
  • -unavailable- added by jtn (Submitted the item)
  •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Please enter the title of George Orwell's famous dystopian book (it's a date):

     

     

    No Changes Have Been Made to This Item
    Show feedback again

    Back to the top


    Powered by Savane 3.1-cleanup