From 4801fad4a8e4af835cb6d31922ce078ce8fe43df Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Sat, 5 May 2012 14:16:00 +0200 Subject: [PATCH] Fix buffer overruns in fairland for island size zero Fairland creates islands with size 1 + random() % (2 * is - 1), where "is" is either chosen by the user (fourth command line argument) or defaults to half the continent size (second command line argument). Negative values are silently replaced by zero. Not only does value zero make no sense, it also breaks the code: the island size is always one then (because random() % -1 is zero), but allocate_memory() provides only space for zero sectors in sectx[], secty[] and sectc[]. This leads to buffer overruns in try_to_grow(), find_coast(), elevate_land, set_coastal_flags(). Can smash the heap. Fix by changing the lower bound from zero to one. Diagnosed with valgrind. Has always been broken. --- src/util/fairland.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util/fairland.c b/src/util/fairland.c index 3b13d0dc4..e4109f286 100644 --- a/src/util/fairland.c +++ b/src/util/fairland.c @@ -368,8 +368,8 @@ parse_args(int argc, char *argv[]) is = atoi(argv[3]); else is = sc / 2; - if (is < 0) - is = 0; + if (is < 1) + is = 1; if (argc > 4) sp = atoi(argv[4]); -- 2.43.0