git.pond.sub.org Git - empserver/commit

author	Markus Armbruster <armbru@pond.sub.org>
	Sun, 20 Sep 2015 11:17:33 +0000 (13:17 +0200)
committer	Markus Armbruster <armbru@pond.sub.org>
	Sat, 5 Dec 2015 11:51:07 +0000 (12:51 +0100)
commit	25c7d3798bfe568c503929d2fc39da0c4f35da52
tree	1f5160a4db64608c2adb2afd9e37d1e3eebd04fa	tree \| snapshot
parent	493dc5f9410be0e8f0bbc9a97e16f98221123c13	commit \| diff

navigate march retreat lretreat: Fix read beyond buffer

shp_nav_gauntlet() and lnd_mar_gauntlet() read beyond the list head
when the list is empty.  The values read aren't used then.  Could
conceivably crash the server anyway, but it's unlikely.

Empty list happens when shp_nav_dir(), lnd_mar_dir() empty the list
and return zero.  Broken in commit beedf8d, v4.3.33.  Occurs in
navi-march-test (since the last commit) and in retreat-test.

Change shp_nav_dir() and lnd_mar_dir() to return one then.  For
additional safety, make shp_nav_gauntlet() and lnd_mar_gauntlet() oops
on empty list and recover safely.

I think I originally found this bug with -fsanitize, but I've since
upgraded, and I can't diagnose it that way anymore.

Signed-off-by: Markus Armbruster <armbru@pond.sub.org>

src/lib/subs/lndsub.c		diff \| blob \| history
src/lib/subs/shpsub.c		diff \| blob \| history