Prevent buffer overflow in charset names. Bugreport from Semen Panevin 2:5025/121

2011-02-12 22:02:48 +00:00 · 2011-02-12 22:02:48 +00:00 · b1693b62c7
commit b1693b62c7
parent fcd91a8d28
2 changed files with 47 additions and 2 deletions
--- a/golded3/gccfgg8.cpp
+++ b/golded3/gccfgg8.cpp
@ -598,10 +598,28 @@ void CfgXlatcharset() {

  Map xlt;
  char* ptr = strtok(val, " \t\n\r");
+  short maxtokenlen = sizeof(xlt.imp)-1;
  if(ptr) {
+    if(strlen(ptr) > maxtokenlen) {
+      STD_PRINT("* XLATCHARSET parser: Parameter '" << ptr
+          << "' too long. It is supposed no more than " << maxtokenlen << " characters. A line 'XLATCHARSET "
+          <<  ptr);
+      STD_PRINTNL(ptr+strlen(ptr)+1 << "' ignored.");
+      cfgerrors++;
+      return;
+    }
    strchg(strupr(strcpy(xlt.imp, ptr)), '_', ' ');
    ptr = strtok(NULL, " \t\n\r");
    if(ptr) {
+      if(strlen(ptr) > maxtokenlen) {
+        STD_PRINT("* XLATCHARSET parser: Parameter '" << ptr
+            << "' too long. It is supposed no more than " << maxtokenlen << " characters. A line 'XLATCHARSET "
+            <<  xlt.imp << " " << ptr);
+        STD_PRINTNL(ptr+strlen(ptr)+1 << "' ignored.");
+        cfgerrors++;
+        xlt.imp[0] = '\0';
+        return;
+      }
      strchg(strupr(strcpy(xlt.exp, ptr)), '_', ' ');
      ptr = strtok(NULL, " \t\n\r");
      if(ptr) {
--- a/golded3/gcmisc.cpp
+++ b/golded3/gcmisc.cpp
@ -680,7 +680,20 @@ void ReadXlatTables()
                    }
                    break;
                  case 4:
-                    strcpy(ChsTable.imp, strbtrim(ptr));
+                    {
+                      char *tp = strbtrim(ptr);
+                      if(strlen(tp) >= sizeof(ChsTable.imp)) {
+                        STD_PRINTNL("* " << AddPath(CFG->xlatpath, xlt->mapfile) << ": At line 4 charset name '" << tp
+                           << "' too long. It is supposed no more than " << sizeof(ChsTable.imp)-1 << " characters. A file ignored.");
+                        cfgerrors++;
+                        ifp.Lseek(0, SEEK_END);
+                        ChsTable.displaylevel = 0;
+                        ChsTable.level = 0;
+                        ChsTable.version = 0;
+                        ChsTable.id = 0;
+                      }
+                      else strcpy(ChsTable.imp, strbtrim(ptr));
+                    }
                    break;
                  case 5:
                    if (ChsTable.level && ChsTable.version!=-1)
@ -689,7 +702,21 @@ void ReadXlatTables()
                               strbtrim(ptr), ChsTable.level);
                    }
                    else
-                      strcpy(ChsTable.exp, strbtrim(ptr));
+                    {
+                      char *tp = strbtrim(ptr);
+                      if(strlen(tp) >= sizeof(ChsTable.exp)) {
+                        STD_PRINTNL("* " << AddPath(CFG->xlatpath, xlt->mapfile) << ": At line 4 charset name '" << tp
+                            << "' too long. It is supposed no more than " << sizeof(ChsTable.exp)-1 << " characters. A file ignored.");
+                        cfgerrors++;
+                        ifp.Lseek(0, SEEK_END);
+                        ChsTable.displaylevel = 0;
+                        ChsTable.level = 0;
+                        ChsTable.version = 0;
+                        ChsTable.id = 0;
+                        ChsTable.imp[0] = '\0';
+                      }
+                      else strcpy(ChsTable.exp, strbtrim(ptr));
+                    }
                    break;
                }
              }