bugFreeciv - Bugs: bug #21247, fill_sprite_array() has no array...

Show feedback again

bug #21247: fill_sprite_array() has no array bounds checks

Submitted by:  Jacob Nevins <jtn>
Submitted on:  Sun Nov 3 14:08:48 2013  
Category: clientSeverity: 3 - Normal
Priority: 5 - NormalStatus: None
Assigned to: NoneOpen/Closed: Open
Release: Operating System: Any
Planned Release: 2.6.0, 3.0.0Contains string changes: None

Add a New Comment (Rich MarkupRich Markup):

You are not logged in

Please log in, so followups can be emailed to you.


Sun Nov 3 14:08:48 2013, original submission:

fill_sprite_array() and descendants have a pattern where they increment an array pointer passed in a number of times and return how many times they did it. There is no check that the array is big enough, nor any way of growing it.

fill_sprite_array() is called from put_one_element(), which passes an array tile_sprs[80].

It might be that this is big enough for all possible tilesets; it seems likely, but without a detailed audit I can't say for sure.

It would be better if some idiom that will spot overflow is used. While this code is frequently used, it is also complex, so I can't imagine the execution overhead will be overwhelming.

Jacob Nevins <jtn>
Project Administrator


(Note: upload size limit is set to 1024 kB, after insertion of the required escape characters.)

Attach File(s):

No files currently attached


Depends on the following items: None found

Items that depend on this one: None found


Carbon-Copy List
  • -unavailable- added by cazfi (Updated the item)
  • -unavailable- added by jtn (Submitted the item)

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.


    Error: not logged in



    Follows 1 latest change.

    Date Changed By Updated Field Previous Value => Replaced By
    Thu Jan 21 05:16:20 2016cazfiPlanned Release=>2.6.0, 3.0.0
    Show feedback again

    Back to the top

    Powered by Savane 3.1-cleanup