From d52da5e67d4806c743327b3b7a24d8ffe0b5fbfc Mon Sep 17 00:00:00 2001 From: David Griffith Date: Thu, 31 Jan 2019 08:07:08 -0800 Subject: [PATCH] Fixed some problems with unsafe strcpy() calls writing out of bounds. This manifested in sfrotz crashing with a "double free or corruption (!prev)" or "munmap_chunk(): invalid pointer" when saving or restoring using a graphical dialog. The dialog would cause os_read_file_name() to return a complete path for the save file. If done with the -T option, then this information would be obtained in the text window and only what was typed would be returned. That's how the curses and dumb interfaces work too. That's why the problem wasn't seen until tinkering with the SDL interface. There are five other instances of strcpy() left in the core, six in the curses interface, three in the dumb interface, and a whopping thirty in the SDL interface. These will be fixed later. --- src/common/fastmem.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/common/fastmem.c b/src/common/fastmem.c index d73e7a1..64ea183 100644 --- a/src/common/fastmem.c +++ b/src/common/fastmem.c @@ -691,7 +691,8 @@ void z_restore (void) if (os_read_file_name (new_name, default_name, FILE_LOAD_AUX) == 0) goto finished; - strcpy (f_setup.aux_name, default_name); + free(f_setup.aux_name); + f_setup.aux_name = strdup(default_name); /* Open auxilary file */ @@ -718,7 +719,8 @@ void z_restore (void) if (os_read_file_name (new_name, f_setup.save_name, FILE_RESTORE) == 0) goto finished; - strcpy (f_setup.save_name, new_name); + free(f_setup.save_name); + f_setup.save_name = strdup(new_name); /* Open game file */ @@ -929,7 +931,8 @@ void z_save (void) if (os_read_file_name (new_name, default_name, FILE_SAVE_AUX) == 0) goto finished; - strcpy (f_setup.aux_name, default_name); + free(f_setup.aux_name); + f_setup.aux_name = strdup(default_name); /* Open auxilary file */ @@ -957,7 +960,8 @@ void z_save (void) if (os_read_file_name (new_name, f_setup.save_name, FILE_SAVE) == 0) goto finished; - strcpy (f_setup.save_name, new_name); + free(f_setup.save_name); + f_setup.save_name = strdup(new_name); /* Open game file */ -- 2.34.1