[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[XBoard-devel] Buffer overflow

From: Byrial Jensen
Subject: [XBoard-devel] Buffer overflow
Date: Thu, 22 Dec 2011 20:22:31 +0100
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20110922 Thunderbird/3.1.15

I think that the function PGNTagsStatic() in pgntags.c is unsafe. The problem is that gameInfo->extraTags which can have any size is copied without size control to a buffer which can overflow as the result. This is rather serious as it is easy to construct a pgn file that can cause the overflow.

You cannot have something of possibly unlimited size in a static buffer, so I suggest that PGNTagsStatic is removed. PGNTags() can then allocate a big eneogh buffer and do the work itself. PrintPGNTags() doesn't need a buffer, but can print directly to the file.

The "guilty" function is strcat() which is used in many places, so it is probably a good idea to check all uses of strcat.

However there is no reason to replace all occurences of strcat with something else like it is done with strcpy(). I find it a little silly to see calls to safeStrCpy instead of strcpy when you have just allocated a new buffer of the required size, so strcpy would be perfectly safe to use.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]