Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accessing arrays out of bounds #2

Closed
david-nc opened this issue Mar 18, 2023 · 2 comments
Closed

Accessing arrays out of bounds #2

david-nc opened this issue Mar 18, 2023 · 2 comments
Assignees
@troglobit

Comments

@david-nc
Copy link

david-nc commented Mar 18, 2023
edited
Loading

There are a couple of places in the turn.c file where the code accesses arrays out-of-bounds.
The following code segment will access the non existent elements prop[MAXOBJ] and place[MAXOBJ] (via toting() function).

85 if (closed) {
86 if (prop[OYSTER] < 0 && toting(OYSTER))
87 pspeak(OYSTER, 1);
88 for (i = 1; i <= MAXOBJ; ++i)
89 if (toting(i) && prop[i] < 0)
90 prop[i] = -1 - prop[i];
91 }

The following code will access place[MAXOBJ] (via toting() function). The call to dstroy() may or may not be a problem, that function allows values >= MAXOBJ, but may not give the intended result here.

792 for (i = 1; i <= MAXOBJ; ++i)
793 if (toting(i))
794 dstroy(i);

In the file database.c there appears to be a related problem in the move() function, where a value >= MAXOBJ will access the fixed array out-of-bounds - the intended array element is likely fixed[obj - MAXOBJ].

298 /*
299 Routine to destroy an object
300 */
301 void dstroy(int obj)
302 {
303 move(obj, 0);
304 }
305
306 /*
307 Routine to move an object
308 */
309 void move(int obj, int where)
310 {
311 int from;
312
313 from = (obj < MAXOBJ) ? place[obj] : fixed[obj];
314 if (from > 0 && from <= 300)
315 carry(obj, from);
316 drop(obj, where);
317 }
318

The arrays are declared in the advdef.h file with a size of MAXOBJ

26 int place[MAXOBJ]; /* object location */
27 int fixed[MAXOBJ]; /* second object loc */
28 int visited[MAXLOC]; /* >0 if has been here */
29 int prop[MAXOBJ]; /* status of object */
@troglobit troglobit self-assigned this Aug 4, 2023
troglobit added a commit that referenced this issue Aug 7, 2023
@troglobit
Fix out-of-bounds access
3524979 
In turn.c and verb.c we move to obj + MAXOBJ, which is what the drop()
function already does, so it seems likely that it means we should index
inside fixed[] array, instead of outside it.

As discussed in issue #2.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
troglobit added a commit that referenced this issue Aug 7, 2023
@troglobit
Fix out-of-bounds access
f44cb2b 
As discussed in issue #2.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
troglobit added a commit that referenced this issue Aug 7, 2023
@troglobit
Fix out-of-bounds access
463b68a 
Similar to the other accesses discussed in issue #2.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit
Copy link
Owner

First of all, apologies for the late reply, and thank you for these findings! I've set up Coverity Scan now also, which has found even more.

I'll be closing this issue when the fixes are merged back to the master branch.

@troglobit
Copy link
Owner

There merged to master. Fixes will be part of the next release, v4.2.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@troglobit troglobit

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@troglobit @david-nc