| commit | 119b86bf09b36a35cbe120b5ac5a4c3206d8f6c8 | |
| author | PatR <rankin@nethack.org> | |
| Mon, 9 May 2016 00:56:52 +0000 (8 17:56 -0700) | ||
| committer | PatR <rankin@nethack.org> | |
| Mon, 9 May 2016 00:56:52 +0000 (8 17:56 -0700) | ||
| tree | 4462bbfd2ba99d0cae5b297e7d4ab323c22fa042 | treesnapshot (tar.gz zip) |
| parent | bb5f2e4964ee8784469107ef3b97519da189673d | commitdiff |
option parsing buffer overflow vulnerability
The report that parse_config_line() could overflow its buffer
when passed a long value from parse_config_file() was already
fixed for 3.6.1, but longer config lines mean that later stages
of option parsing need to be aware of the possibility of lines
longer than BUFSZ. This fixes the three special options which
deal with regular expressions. Autopickup exceptions, message
types, and menu coloring all could exceed BUFSZ when formatting
a value to put in the menu for 'list' or 'remove' of existing
entries. Menu colors could overflow by an arbitrary amount,
message types by up to 13 bytes, and autopickup exceptions by
just 1 byte.
Both tty and X11 seem to cope with long menu entries (wider
than can be displayed but not exceeding BUFSZ) by truncating.
For menu colorings, that hides the color and highlight attribute
since those are placed after the regexp.
Menu line truncation for tty was straightforward, just chopped
a big chunk off the end of the long string. For X11, it did
that too, taking off a lot less but ending up with much of the
menu hidden off the left edge of the screen. Dragging it into
view showed that the width fit the whole screen (or possibly
fit the width of the map, which was also as wide as the screen).
So the initial position is being miscalculated.
The report that parse_config_line() could overflow its buffer
when passed a long value from parse_config_file() was already
fixed for 3.6.1, but longer config lines mean that later stages
of option parsing need to be aware of the possibility of lines
longer than BUFSZ. This fixes the three special options which
deal with regular expressions. Autopickup exceptions, message
types, and menu coloring all could exceed BUFSZ when formatting
a value to put in the menu for 'list' or 'remove' of existing
entries. Menu colors could overflow by an arbitrary amount,
message types by up to 13 bytes, and autopickup exceptions by
just 1 byte.
Both tty and X11 seem to cope with long menu entries (wider
than can be displayed but not exceeding BUFSZ) by truncating.
For menu colorings, that hides the color and highlight attribute
since those are placed after the regexp.
Menu line truncation for tty was straightforward, just chopped
a big chunk off the end of the long string. For X11, it did
that too, taking off a lot less but ending up with much of the
menu hidden off the left edge of the screen. Dragging it into
view showed that the width fit the whole screen (or possibly
fit the width of the map, which was also as wide as the screen).
So the initial position is being miscalculated.
| doc/fixes36.1 | diffblobblamehistory | |
| src/options.c | diffblobblamehistory |