empire/empserver
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix buffer overruns in fairland for island size zero

Browse source 
Fairland creates islands with size 1 + random() % (2 * is - 1), where
"is" is either chosen by the user (fourth command line argument) or
defaults to half the continent size (second command line argument).
Negative values are silently replaced by zero.

Not only does value zero make no sense, it also breaks the code: the
island size is always one then (because random() % -1 is zero), but
allocate_memory() provides only space for zero sectors in sectx[],
secty[] and sectc[].  This leads to buffer overruns in try_to_grow(),
find_coast(), elevate_land, set_coastal_flags().  Can smash the heap.

Fix by changing the lower bound from zero to one.  Diagnosed with
valgrind.  Has always been broken.
This commit is contained in:
Markus Armbruster 2012-05-05 14:16:00 +02:00
parent 3464a4a9d0
commit 4801fad4a8
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/util/fairland.c
View file

@ -368,8 +368,8 @@ parse_args(int argc, char *argv[])
is = atoi(argv[3]); is = atoi(argv[3]);
else else
is = sc / 2; is = sc / 2;
if (is < 0) if (is < 1)
is = 0; is = 1;
if (argc > 4) if (argc > 4)
sp = atoi(argv[4]); sp = atoi(argv[4]);