1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
From 7059e40c7a487b17886e1d345b52fc0cfca8df72 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 2 Jun 2021 13:15:29 +0200
Subject: [PATCH] frontend/cmd.cc: Fix buffer overflow CVE-2021-30184
Based on prior work by Michael Vaughan,
with "break;" replaced by "return;" and
magic number 9 resolved by strlen("setboard ").
Mimics close-to-identical existing code from
elsewhere in the the same file.
---
src/frontend/cmd.cc | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/frontend/cmd.cc b/src/frontend/cmd.cc
index a321fc2..394d03f 100644
--- a/src/frontend/cmd.cc
+++ b/src/frontend/cmd.cc
@@ -477,13 +477,20 @@ void cmd_pgnload(void)
return;
}
- strcpy( data, "setboard " );
+ const char setboardCmd[] = "setboard ";
+ unsigned int setboardLen = strlen(setboardCmd);
+ strcpy( data, setboardCmd );
int i=0;
while ( epdline[i] != '\n' ) {
- data[i+9] = epdline[i];
- ++i;
+ if (i + setboardLen < MAXSTR - 1) {
+ data[i+setboardLen] = epdline[i];
+ ++i;
+ } else {
+ printf( _("Error reading contents of file '%s'.\n"), token[1] );
+ return;
+ }
}
- data[i+9] = '\0';
+ data[i+setboardLen] = '\0';
SetDataToEngine( data );
SetAutoGo( true );
pgnloaded = 0;
@@ -501,13 +508,20 @@ void cmd_pgnreplay(void)
return;
}
- strcpy( data, "setboard " );
+ const char setboardCmd[] = "setboard ";
+ unsigned int setboardLen = strlen(setboardCmd);
+ strcpy( data, setboardCmd );
int i=0;
while ( epdline[i] != '\n' ) {
- data[i+9] = epdline[i];
- ++i;
+ if (i + setboardLen < MAXSTR - 1) {
+ data[i+setboardLen] = epdline[i];
+ ++i;
+ } else {
+ printf( _("Error reading contents of file '%s'.\n"), token[1] );
+ return;
+ }
}
- data[i+9] = '\0';
+ data[i+setboardLen] = '\0';
SetDataToEngine( data );
SetAutoGo( true );
--
2.31.1
|