empire/empserver
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

bomb drop fly paradrop recon sweep: Fix read before array

Browse source 
The code computing the length of the flight path checks whether the
path ends with 'h'.  When getpath() returns an empty path, it accesses
flightpath[-1].  This could set the length to -1 (unlikely), or crash
(even less likely).  The former could be abused to gain mobility for
sufficiently inefficient or short-ranged planes.  Found with valgrind.

Broken in commit 404a76f7, v4.3.27.

Historically, getpath() could return paths with or without 'h', and
the check was necessary.  It returned an empty path only when the
player gave no input, aborting the command.  When the player entered
the assembly point's coordinates, it returned "h".

Commit 404a76f7 accidentally changed it to return "" then.  Also broke
flying to the assembly point's coordinates.  Commit 0f1e14f (v4.3.31)
fixed that part by changing getpath()'s contract: always return paths
without 'h' ("" simply means empty path), and return NULL on invalid
input, including no input.

The flawed check is superfluous since then.  Drop it.

Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
This commit is contained in:
Markus Armbruster 2015-07-26 20:28:34 +02:00
parent b9375b14b1
commit 6888337afe
5 changed files with 0 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/lib/commands/bomb.c
View file

@ -117,8 +117,6 @@ bomb(void)
pr("target sector is %s\n", xyas(tx, ty, player->cnum));
getsect(tx, ty, &target);
ap_to_target = strlen(flightpath);
if (flightpath[ap_to_target - 1] == 'h')
ap_to_target--;
pr("range to target is %d\n", ap_to_target);
/*
* select planes within range

2
src/lib/commands/drop.c
View file

@ -95,8 +95,6 @@ drop(void)
}
ap_to_target = strlen(flightpath);
if (flightpath[ap_to_target - 1] == 'h')
ap_to_target--;
pr("range to target is %d\n", ap_to_target);
/*
* select planes within range

2
src/lib/commands/fly.c
View file

@ -92,8 +92,6 @@ fly(void)
}
ap_to_target = strlen(flightpath);
if (flightpath[ap_to_target - 1] == 'h')
ap_to_target--;
pr("range to target is %d\n", ap_to_target);
/*
* select planes within range

2
src/lib/commands/para.c
View file

@ -72,8 +72,6 @@ para(void)
getsect(tx, ty, &target);
pr("LZ is %s\n", xyas(tx, ty, player->cnum));
ap_to_target = strlen(flightpath);
if (flightpath[ap_to_target - 1] == 'h')
ap_to_target--;
pr("range to target is %d\n", ap_to_target);
if (target.sct_own == player->cnum) {
pr("You can't air-assault your own sector!\n");

2
src/lib/commands/reco.c
View file

@ -75,8 +75,6 @@ reco(void)
cno = target.gen.ef_type == EF_SHIP ? target.gen.uid : -1;
ap_to_target = strlen(flightpath);
if (flightpath[ap_to_target - 1] == 'h')
ap_to_target--;
pr("range to target is %d\n", ap_to_target);
/*
* select planes within range