-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accessing arrays out of bounds #2
Comments
troglobit
added a commit
that referenced
this issue
Aug 7, 2023
In turn.c and verb.c we move to obj + MAXOBJ, which is what the drop() function already does, so it seems likely that it means we should index inside fixed[] array, instead of outside it. As discussed in issue #2. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
troglobit
added a commit
that referenced
this issue
Aug 7, 2023
As discussed in issue #2. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
troglobit
added a commit
that referenced
this issue
Aug 7, 2023
Similar to the other accesses discussed in issue #2. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
First of all, apologies for the late reply, and thank you for these findings! I've set up Coverity Scan now also, which has found even more. I'll be closing this issue when the fixes are merged back to the |
There merged to master. Fixes will be part of the next release, v4.2. |
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are a couple of places in the turn.c file where the code accesses arrays out-of-bounds.
The following code segment will access the non existent elements prop[MAXOBJ] and place[MAXOBJ] (via toting() function).
85 if (closed) {
86 if (prop[OYSTER] < 0 && toting(OYSTER))
87 pspeak(OYSTER, 1);
88 for (i = 1; i <= MAXOBJ; ++i)
89 if (toting(i) && prop[i] < 0)
90 prop[i] = -1 - prop[i];
91 }
The following code will access place[MAXOBJ] (via toting() function). The call to dstroy() may or may not be a problem, that function allows values >= MAXOBJ, but may not give the intended result here.
792 for (i = 1; i <= MAXOBJ; ++i)
793 if (toting(i))
794 dstroy(i);
In the file database.c there appears to be a related problem in the move() function, where a value >= MAXOBJ will access the fixed array out-of-bounds - the intended array element is likely fixed[obj - MAXOBJ].
298 /*
299 Routine to destroy an object
300 */
301 void dstroy(int obj)
302 {
303 move(obj, 0);
304 }
305
306 /*
307 Routine to move an object
308 */
309 void move(int obj, int where)
310 {
311 int from;
312
313 from = (obj < MAXOBJ) ? place[obj] : fixed[obj];
314 if (from > 0 && from <= 300)
315 carry(obj, from);
316 drop(obj, where);
317 }
318
The arrays are declared in the advdef.h file with a size of MAXOBJ
26 int place[MAXOBJ]; /* object location */
27 int fixed[MAXOBJ]; /* second object loc */
28 int visited[MAXLOC]; /* >0 if has been here */
29 int prop[MAXOBJ]; /* status of object */
The text was updated successfully, but these errors were encountered: