git.pond.sub.org Git - empserver/commit

author	Markus Armbruster <armbru@pond.sub.org>
	Sun, 26 Jul 2015 18:28:34 +0000 (20:28 +0200)
committer	Markus Armbruster <armbru@pond.sub.org>
	Sat, 5 Dec 2015 11:51:07 +0000 (12:51 +0100)
commit	6888337afe583745cd16f52273a3938c1b7c6c22
tree	712f4a3a92b75531980727de3914a085b34befe7	tree \| snapshot
parent	b9375b14b1ee1247ec4830d99143a5847e05ac33	commit \| diff

bomb drop fly paradrop recon sweep: Fix read before array

The code computing the length of the flight path checks whether the
path ends with 'h'.  When getpath() returns an empty path, it accesses
flightpath[-1].  This could set the length to -1 (unlikely), or crash
(even less likely).  The former could be abused to gain mobility for
sufficiently inefficient or short-ranged planes.  Found with valgrind.

Broken in commit 404a76f7, v4.3.27.

Historically, getpath() could return paths with or without 'h', and
the check was necessary.  It returned an empty path only when the
player gave no input, aborting the command.  When the player entered
the assembly point's coordinates, it returned "h".

Commit 404a76f7 accidentally changed it to return "" then.  Also broke
flying to the assembly point's coordinates.  Commit 0f1e14f (v4.3.31)
fixed that part by changing getpath()'s contract: always return paths
without 'h' ("" simply means empty path), and return NULL on invalid
input, including no input.

The flawed check is superfluous since then.  Drop it.

Signed-off-by: Markus Armbruster <armbru@pond.sub.org>

src/lib/commands/bomb.c		diff \| blob \| history
src/lib/commands/drop.c		diff \| blob \| history
src/lib/commands/fly.c		diff \| blob \| history
src/lib/commands/para.c		diff \| blob \| history
src/lib/commands/reco.c		diff \| blob \| history