bug-gnu-chess
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer Overflow in cmd_load


From: Antonio Ceballos
Subject: Re: Buffer Overflow in cmd_load
Date: Wed, 21 Aug 2019 10:29:18 +0200

Hi Henry,

Thanks for your report. The details you provide are very much appreciated. I see the bug you pinpoint and I will fix it for the next release of GNU Chess.

Regards,
Antonio Ceballos


On Wed, Aug 14, 2019 at 4:48 PM Henry Ballentine via Bug-gnu-chess <address@hidden> wrote:

Hello,


I found a stack buffer overflow in the cmd_load function in frontend/cmd.cc lines 318-322 in gnuchess 6.2.5. This occurs when trying to copy the contents of the loaded file to send to the game engine. 

318       while ( epdline[i] != '\n' ) {

319         data[i+9] = epdline[i];

320         ++i;

321         printf("%d %c 0x%X\n", i, data[i+9], epdline[i]);

322       }


When parsing a valid file with no endlines in it, if the filename is too long it overflows the data buffer because the copying while loop is looking for newlines, not nulls to terminate the loop. For example, inputting:


load /path/to/input/file/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtest2


File contents:

r5k1/p1p3p1/3bqr2/3pN2p/3ppB2/P7/1P3P1Q/R3R1K1 b - - bm 1; id 1;\8Ar5kAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA… (~16Kb of A)


Results in a stack where epdline has overflown into the buffer for handling user input, the base pointer, and the return address on the stack.


Regards,

Henry Ballentine


_______________________________________________
Bug-gnu-chess mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/bug-gnu-chess

reply via email to

[Prev in Thread] Current Thread [Next in Thread]