Scope-eye.net Git Repository / liskon_frotz.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9181510)
Fixed some problems with unsafe strcpy() calls writing out of bounds.
authorDavid Griffith <dave@661.org>
Thu, 31 Jan 2019 16:07:08 +0000 (08:07 -0800)
committerDavid Griffith <dave@661.org>
Thu, 31 Jan 2019 16:14:39 +0000 (08:14 -0800)
This manifested in sfrotz crashing with a
"double free or corruption (!prev)" or "munmap_chunk(): invalid pointer"
when saving or restoring using a graphical dialog.  The dialog would
cause os_read_file_name() to return a complete path for the save file.
If done with the -T option, then this information would be obtained in
the text window and only what was typed would be returned.  That's how
the curses and dumb interfaces work too.  That's why the problem wasn't
seen until tinkering with the SDL interface.

There are five other instances of strcpy() left in the core, six in the
curses interface, three in the dumb interface, and a whopping thirty in
the SDL interface.  These will be fixed later.

src/common/fastmem.c patch | blob | history

diff --git a/src/common/fastmem.c b/src/common/fastmem.c
index d73e7a1e16cca00b02fe1c35d9047de3d1dd9a73..64ea183de948cde05606ec2365a4ce610e1b1910 100644 (file)
--- a/src/common/fastmem.c
+++ b/src/common/fastmem.c
@@ -691,7 +691,8 @@ void z_restore (void)
        if (os_read_file_name (new_name, default_name, FILE_LOAD_AUX) == 0)
            goto finished;
 
-       strcpy (f_setup.aux_name, default_name);
+       free(f_setup.aux_name);
+       f_setup.aux_name = strdup(default_name);
 
        /* Open auxilary file */
 
@@ -718,7 +719,8 @@ void z_restore (void)
        if (os_read_file_name (new_name, f_setup.save_name, FILE_RESTORE) == 0)
            goto finished;
 
-       strcpy (f_setup.save_name, new_name);
+       free(f_setup.save_name);
+       f_setup.save_name = strdup(new_name);
 
        /* Open game file */
 
@@ -929,7 +931,8 @@ void z_save (void)
        if (os_read_file_name (new_name, default_name, FILE_SAVE_AUX) == 0)
            goto finished;
 
-       strcpy (f_setup.aux_name, default_name);
+       free(f_setup.aux_name);
+       f_setup.aux_name = strdup(default_name);
 
        /* Open auxilary file */
 
@@ -957,7 +960,8 @@ void z_save (void)
        if (os_read_file_name (new_name, f_setup.save_name, FILE_SAVE) == 0)
            goto finished;
 
-       strcpy (f_setup.save_name, new_name);
+       free(f_setup.save_name);
+       f_setup.save_name = strdup(new_name);
 
        /* Open game file */
 
Project to make the text adventure interpreter "frotz" smaller, and run better on an old 8086 PC.