empire/empserver
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
empserver/src
History
Markus Armbruster 6888337afe bomb drop fly paradrop recon sweep: Fix read before array 
The code computing the length of the flight path checks whether the
path ends with 'h'.  When getpath() returns an empty path, it accesses
flightpath[-1].  This could set the length to -1 (unlikely), or crash
(even less likely).  The former could be abused to gain mobility for
sufficiently inefficient or short-ranged planes.  Found with valgrind.

Broken in commit 404a76f7, v4.3.27.

Historically, getpath() could return paths with or without 'h', and
the check was necessary.  It returned an empty path only when the
player gave no input, aborting the command.  When the player entered
the assembly point's coordinates, it returned "h".

Commit 404a76f7 accidentally changed it to return "" then.  Also broke
flying to the assembly point's coordinates.  Commit 0f1e14f (v4.3.31)
fixed that part by changing getpath()'s contract: always return paths
without 'h' ("" simply means empty path), and return NULL on invalid
input, including no input.

The flawed check is superfluous since then.  Drop it.

Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
2015-12-05 12:51:07 +01:00
..
client Fix and clean up some comments 2015-12-05 12:31:08 +01:00
lib bomb drop fly paradrop recon sweep: Fix read before array 2015-12-05 12:51:07 +01:00
scripts tests: Fix for builds outside git-controlled source tree 2015-03-03 20:18:38 +01:00
server Change comment style to use @foo rather than FOO 2015-12-05 12:13:17 +01:00
util Update copyright notice 2015-02-28 16:21:34 +01:00