diff options
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | FICS/gamedb.c | 9 | ||||
| -rw-r--r-- | FICS/playerdb.c | 27 |
3 files changed, 35 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e330ac..6138424 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ documented in this file. - Changed the program to avoid calculating the same string multiple times. Multiple occurrences, found by PVS-Studio. - Fixed `-Wshadow` warnings. Multiple occurrences. +- Fixed calls of risky functions. - Fixed double `free()` in `process_login()`. - Fixed memory leak in `process_login()`. - Fixed negative array index read in `accept_match()`. diff --git a/FICS/gamedb.c b/FICS/gamedb.c index 2293ba7..7d094c2 100644 --- a/FICS/gamedb.c +++ b/FICS/gamedb.c @@ -40,6 +40,8 @@ Markus Uhlin 25/03/25 ReadGameState: fixed truncated stdio return value. Markus Uhlin 25/04/01 Fixed call of risky function + Markus Uhlin 25/04/01 ReadV1GameFmt: guard num half + moves. */ #include "stdinclude.h" @@ -47,6 +49,7 @@ #include <err.h> #include <errno.h> +#include <limits.h> #include "command.h" #include "config.h" @@ -1320,6 +1323,12 @@ ReadV1GameFmt(game *g, FILE *fp, const char *file, int version) if (ret[0] != 4 || ret[1] != 1) { warnx("%s: fscanf error: %s", __func__, file); return -1; + } else if (g->numHalfMoves < 0 || (size_t)g->numHalfMoves > + INT_MAX / sizeof(move_t)) { + warnx("%s: warning: num half moves out-of-bounds (%d)", + __func__, + g->numHalfMoves); + return -1; } if (ReadV1Moves(g, fp) != 0) { diff --git a/FICS/playerdb.c b/FICS/playerdb.c index 309a8fc..06694ab 100644 --- a/FICS/playerdb.c +++ b/FICS/playerdb.c @@ -43,6 +43,8 @@ Markus Uhlin 25/03/29 player_remove_request: fixed overflowed array index read/write. + Markus Uhlin 25/04/02 add_to_list: added an upper + limit for the list size. */ #include "stdinclude.h" @@ -409,10 +411,14 @@ add_to_list(FILE *fp, enum ListWhich lw, int *size, int p) #define SCAN_STR "%1023s" - if (*size <= 0) - return -2; + if (*size <= 0 || *size > MAX_GLOBAL_LIST_SIZE) { + warnx("%s: illegal list size (%d)", __func__, *size); + return -1; + } + while ((*size)-- > 0 && fscanf(fp, SCAN_STR, buf) == 1) list_add(p, lw, buf); + return (*size <= 0 ? 0 : -1); } @@ -578,6 +584,23 @@ ReadV1PlayerFmt(int p, player *pp, FILE *fp, char *file, int version) pp->timeOfReg = array[0]; pp->totalTime = array[1]; + if (pp->num_plan > MAX_PLAN) { + warnx("Player %s is corrupt\nToo many plans (%d)", + parray[p].name, + pp->num_plan); + return; + } else if (pp->num_formula > MAX_FORMULA) { + warnx("Player %s is corrupt\nToo many formulas (%d)", + parray[p].name, + pp->num_formula); + return; + } else if (pp->numAlias > MAX_ALIASES) { + warnx("Player %s is corrupt\nToo many aliases (%d)", + parray[p].name, + pp->numAlias); + return; + } + if (pp->num_plan > 0) { for (i = 0; i < pp->num_plan; i++) { if (fgets(tmp2, sizeof tmp2, fp) == NULL) { |