|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Maelstrom bugfix (was Maelstrom Local Buffer Overflow Exploit, FreeBSD 4.8 edition)
From: Andrew Church (achurch
achurch.org)
Date: Tue May 20 2003 - 21:45:10 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am I the only one who thinks it odd to see so many exploits but no
fixes for the problem?
--Andrew Church
achurchachurch.org
http://achurch.org/
---------------------------------------------------------------------------
[NOTE: this patch is just a methodical replacement of sprintf() on
fixed-size buffers with snprintf(), and includes some places, like
"%d" into a 128-byte buffer, that obviously won't overflow--but hey,
paranoia is good for you.]
diff -ur Maelstrom-3.0.6-orig/controls.cpp Maelstrom-3.0.6/controls.cpp
--- Maelstrom-3.0.6-orig/controls.cpp 2001-03-25 03:04:28 +0900
+++ Maelstrom-3.0.6/controls.cpp 2003-05-21 11:25:53 +0900
-83,7 +83,7
if ( fname ) {
*fname = datafile;
}
- sprintf(datafile, "%s"DIR_SEP"%s", home, MAELSTROM_DATA);
+ snprintf(datafile, sizeof(datafile), "%s"DIR_SEP"%s", home, MAELSTROM_DATA);
if ( (data=fopen(datafile, mode)) == NULL )
return(NULL);
return(data);
diff -ur Maelstrom-3.0.6-orig/dialog.h Maelstrom-3.0.6/dialog.h
--- Maelstrom-3.0.6-orig/dialog.h 2001-07-21 00:08:10 +0900
+++ Maelstrom-3.0.6/dialog.h 2003-05-21 11:24:33 +0900
-92,7 +92,7
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
-878,7 +878,7
if ( entry->text ) {
Fontserv->FreeText(entry->text);
}
- sprintf(buf, "%d", *entry->variable);
+ snprintf(buf, sizeof(buf), "%d", *entry->variable);
if ( entry->hilite ) {
clear = Fg;
diff -ur Maelstrom-3.0.6-orig/load.cpp Maelstrom-3.0.6/load.cpp
--- Maelstrom-3.0.6-orig/load.cpp 2000-02-15 11:47:39 +0900
+++ Maelstrom-3.0.6/load.cpp 2003-05-21 11:26:18 +0900
-81,7 +81,7
SDL_Surface *bmp, *title;
/* Open the title file -- we know its colormap is our global one */
- sprintf(file, "Images"DIR_SEP"Maelstrom_Titles#%d.bmp", title_id);
+ snprintf(file, sizeof(file), "Images"DIR_SEP"Maelstrom_Titles#%d.bmp", title_id);
bmp = SDL_LoadBMP(path.Path(file));
if ( bmp == NULL ) {
return(NULL);
-103,7 +103,7
Uint16 w, h;
/* Open the cicn sprite file.. */
- sprintf(file, "Images"DIR_SEP"Maelstrom_Icon#%hd.cicn", cicn_id);
+ snprintf(file, sizeof(file), "Images"DIR_SEP"Maelstrom_Icon#%hd.cicn", cicn_id);
if ( (cicn_src=SDL_RWFromFile(path.Path(file), "r")) == NULL ) {
error("GetCIcon(%hd): Can't open CICN %s: ",
cicn_id, path.Path(file));
diff -ur Maelstrom-3.0.6-orig/maclib/Mac_FontServ.h Maelstrom-3.0.6/maclib/Mac_FontServ.h
--- Maelstrom-3.0.6-orig/maclib/Mac_FontServ.h 1999-12-03 02:15:33 +0900
+++ Maelstrom-3.0.6/maclib/Mac_FontServ.h 2003-05-21 11:28:43 +0900
-135,7 +135,7
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
diff -ur Maelstrom-3.0.6-orig/maclib/Mac_Resource.h Maelstrom-3.0.6/maclib/Mac_Resource.h
--- Maelstrom-3.0.6-orig/maclib/Mac_Resource.h 1999-12-04 03:01:47 +0900
+++ Maelstrom-3.0.6/maclib/Mac_Resource.h 2003-05-21 11:28:35 +0900
-96,7 +96,7
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
diff -ur Maelstrom-3.0.6-orig/maclib/Mac_Sound.h Maelstrom-3.0.6/maclib/Mac_Sound.h
--- Maelstrom-3.0.6-orig/maclib/Mac_Sound.h 2002-10-20 11:53:34 +0900
+++ Maelstrom-3.0.6/maclib/Mac_Sound.h 2003-05-21 11:28:27 +0900
-199,7 +199,7
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
diff -ur Maelstrom-3.0.6-orig/maclib/Mac_Wave.h Maelstrom-3.0.6/maclib/Mac_Wave.h
--- Maelstrom-3.0.6-orig/maclib/Mac_Wave.h 2000-01-26 01:44:10 +0900
+++ Maelstrom-3.0.6/maclib/Mac_Wave.h 2003-05-21 11:28:20 +0900
-108,7 +108,7
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
diff -ur Maelstrom-3.0.6-orig/maclib/macres.cpp Maelstrom-3.0.6/maclib/macres.cpp
--- Maelstrom-3.0.6-orig/maclib/macres.cpp 2000-01-26 01:44:20 +0900
+++ Maelstrom-3.0.6/maclib/macres.cpp 2003-05-21 11:30:01 +0900
-58,8 +58,8
ids[j], res->ResourceName(types[i], ids[j]));
if ( argv[2] ) {
char path[23];
- sprintf(path,"%s/%s:%hu", argv[2],
- types[i], ids[j]);
+ snprintf(path, sizeof(path), "%s/%s:%hu",
+ argv[2], types[i], ids[j]);
FILE *output;
Mac_ResData *D;
if ( (output=fopen(path, "w")) != NULL ) {
diff -ur Maelstrom-3.0.6-orig/maclib/snd2wav.cpp Maelstrom-3.0.6/maclib/snd2wav.cpp
--- Maelstrom-3.0.6-orig/maclib/snd2wav.cpp 2001-03-28 12:54:50 +0900
+++ Maelstrom-3.0.6/maclib/snd2wav.cpp 2003-05-21 11:29:23 +0900
-82,7 +82,7
continue;
}
wave.Load(snd, rate);
- sprintf(wavname, "snd_%d.wav", ids[i]);
+ snprintf(wavname, sizeof(wavname), "snd_%d.wav", ids[i]);
wave.Save(wavname);
}
delete macx;
diff -ur Maelstrom-3.0.6-orig/main.cpp Maelstrom-3.0.6/main.cpp
--- Maelstrom-3.0.6-orig/main.cpp 2002-10-20 11:53:32 +0900
+++ Maelstrom-3.0.6/main.cpp 2003-05-21 11:27:02 +0900
-445,7 +445,7
DrawText(xOff+309-7, yOff+240-6, text, geneva, STYLE_BOLD,
0x00, 0x00, 0x00);
}
- sprintf(text, "%d", gSoundLevel);
+ snprintf(text, sizeof(text), "%d", gSoundLevel);
DrawText(xOff+309-7, yOff+240-6, text, geneva, STYLE_BOLD,
30000>>8, 30000>>8, 0xFF);
screen->Update();
-547,11 +547,11
}
DrawText(xOff+5, botDiv+42+(index*18), hScores[index].name,
font, STYLE_BOLD, R, G, B);
- sprintf(buffer, "%u", hScores[index].score);
+ snprintf(buffer, sizeof(buffer), "%u", hScores[index].score);
sw = fontserv->TextWidth(buffer, font, STYLE_BOLD);
DrawText(sRt-sw, botDiv+42+(index*18), buffer,
font, STYLE_BOLD, R, G, B);
- sprintf(buffer, "%u", hScores[index].wave);
+ snprintf(buffer, sizeof(buffer), "%u", hScores[index].wave);
sw = fontserv->TextWidth(buffer, font, STYLE_BOLD);
DrawText(wRt-sw, botDiv+42+(index*18), buffer,
font, STYLE_BOLD, R, G, B);
-560,7 +560,7
DrawText(xOff+5, botDiv+46+(10*18)+3, "Last Score: ",
bigfont, STYLE_NORM, 0xFF, 0xFF, 0xFF);
- sprintf(buffer, "%d", GetScore());
+ snprintf(buffer, sizeof(buffer), "%d", GetScore());
sw = fontserv->TextWidth("Last Score: ", bigfont, STYLE_NORM);
DrawText(xOff+5+sw, botDiv+46+(index*18)+3, buffer,
bigfont, STYLE_NORM, 0xFF, 0xFF, 0xFF);
diff -ur Maelstrom-3.0.6-orig/myerror.cpp Maelstrom-3.0.6/myerror.cpp
--- Maelstrom-3.0.6-orig/myerror.cpp 1998-07-14 10:50:17 +0900
+++ Maelstrom-3.0.6/myerror.cpp 2003-05-21 11:23:33 +0900
-16,7 +16,7
va_list ap;
va_start(ap, fmt);
- vsprintf(mesg, fmt, ap);
+ vsnprintf(mesg, sizeof(mesg), fmt, ap);
fputs(mesg, stderr);
va_end(ap);
}
-27,7 +27,7
va_list ap;
va_start(ap, fmt);
- vsprintf(mesg, fmt, ap);
+ vsnprintf(mesg, sizeof(mesg), fmt, ap);
fputs(mesg, stdout);
va_end(ap);
}
-37,7 +37,7
char buffer[BUFSIZ];
if ( *msg ) {
- sprintf(buffer, "%s: %s\n", msg, strerror(errno));
+ snprintf(buffer, sizeof(buffer), "%s: %s\n", msg, strerror(errno));
error(buffer);
} else
error((char *)strerror(errno));
diff -ur Maelstrom-3.0.6-orig/netlogic/game.cpp Maelstrom-3.0.6/netlogic/game.cpp
--- Maelstrom-3.0.6-orig/netlogic/game.cpp 2001-07-23 11:24:03 +0900
+++ Maelstrom-3.0.6/netlogic/game.cpp 2003-05-21 11:33:19 +0900
-232,7 +232,7
lastDisplayed = gDisplayed;
screen->FillRect(0, 0, SCREEN_WIDTH, 12, ourBlack);
- sprintf(caption,
+ snprintf(caption, sizeof(caption),
"You are player %d --- displaying player %d",
gOurPlayer+1, gDisplayed+1);
DrawText(SPRITES_WIDTH, 11, caption, geneva,
-357,7 +357,7
/* -- Erase old and draw new score */
screen->FillRect(45, gStatusLine+1,
score_width, text_height, ourBlack);
- sprintf(numbuf, "%d", Score);
+ snprintf(numbuf, sizeof(numbuf), "%d", Score);
score_width = DrawText(45, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
-380,7 +380,7
if (lastWave != gWave) {
screen->FillRect(255, gStatusLine+1,
wave_width, text_height, ourBlack);
- sprintf(numbuf, "%d", gWave);
+ snprintf(numbuf, sizeof(numbuf), "%d", gWave);
wave_width = DrawText(255, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
-391,7 +391,7
if (lastLives != Lives) {
screen->FillRect(319, gStatusLine+1,
lives_width, text_height, ourBlack);
- sprintf(numbuf, "%-3.1d", Lives);
+ snprintf(numbuf, sizeof(numbuf), "%-3.1d", Lives);
lives_width = DrawText(319, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
-402,7 +402,7
if (lastBonus != Bonus) {
screen->FillRect(384, gStatusLine+1,
bonus_width, text_height, ourBlack);
- sprintf(numbuf, "%-7.1d", Bonus);
+ snprintf(numbuf, sizeof(numbuf), "%-7.1d", Bonus);
bonus_width = DrawText(384, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
-414,7 +414,7
if (lastFrags != Frags) {
screen->FillRect(fragoff, gStatusLine+1,
frags_width, text_height, ourBlack);
- sprintf(numbuf, "%-3.1d", Frags);
+ snprintf(numbuf, sizeof(numbuf), "%-3.1d", Frags);
frags_width = DrawText(fragoff, gStatusLine+11,
numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
-747,10 +747,11
for ( i=0; i<gNumPlayers; ++i ) {
char buffer[BUFSIZ], num1[12], num2[12];
- sprintf(num1, "%7.1d", final[i].Score);
- sprintf(num2, "%3.1d", final[i].Frags);
- sprintf(buffer, "Player %d: %-.7s Points, %-.3s Frags",
- final[i].Player, num1, num2);
+ snprintf(num1, sizeof(num1), "%7.1d", final[i].Score);
+ snprintf(num2, sizeof(num2), "%3.1d", final[i].Frags);
+ snprintf(buffer, sizeof(buffer),
+ "Player %d: %-.7s Points, %-.3s Frags",
+ final[i].Player, num1, num2);
DrawText(160, 380+i*newyork_height, buffer,
newyork, STYLE_NORM, 30000>>8, 30000>>8, 0xFF);
}
-898,7 +899,7
/* -- Draw the wave completed message */
- sprintf(numbuf, "Wave %d completed.", gWave);
+ snprintf(numbuf, sizeof(numbuf), "Wave %d completed.", gWave);
sw = fontserv->TextWidth(numbuf, geneva, STYLE_BOLD);
x = (SCREEN_WIDTH - sw) / 2;
DrawText(x, 150, numbuf, geneva, STYLE_BOLD, 0xFF, 0xFF, 0x00);
-935,7 +936,7
if (OurShip->GetBonusMult() != 1) {
SDL_Surface *sprite;
- sprintf(numbuf, "%-5.1d", OurShip->GetBonus());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetBonus());
DrawText(x, 200, numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
x += 75;
-951,10 +952,10
Delay(SOUND_DELAY);
sound->PlaySound(gFunk, 5);
- sprintf(numbuf, "%-5.1d", OurShip->GetBonus());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetBonus());
bonus_width = DrawText(x, 200, numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
- sprintf(numbuf, "%-5.1d", OurShip->GetScore());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetScore());
score_width = DrawText(xt, 220, numbuf, geneva, STYLE_BOLD,
0xFF, 0xFF, 0xFF);
screen->Update();
-997,12 +998,12
screen->FillRect(x, 200-text_height+2,
bonus_width, text_height, ourBlack);
- sprintf(numbuf, "%-5.1d", OurShip->GetBonus());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetBonus());
bonus_width = DrawText(x, 200, numbuf,
geneva, STYLE_BOLD, 0xFF, 0xFF, 0xFF);
screen->FillRect(xt, 220-text_height+2,
score_width, text_height, ourBlack);
- sprintf(numbuf, "%-5.1d", OurShip->GetScore());
+ snprintf(numbuf, sizeof(numbuf), "%-5.1d", OurShip->GetScore());
score_width = DrawText(xt, 220, numbuf,
geneva, STYLE_BOLD, 0xFF, 0xFF, 0xFF);
-1015,7 +1016,7
HandleEvents(10);
/* -- Draw the "next wave" message */
- sprintf(numbuf, "Prepare for Wave %d...", gWave+1);
+ snprintf(numbuf, sizeof(numbuf), "Prepare for Wave %d...", gWave+1);
sw = fontserv->TextWidth(numbuf, geneva, STYLE_BOLD);
x = (SCREEN_WIDTH - sw)/2;
DrawText(x, 259, numbuf, geneva, STYLE_BOLD, 0xFF, 0xFF, 0x00);
diff -ur Maelstrom-3.0.6-orig/netlogic/netplay.cpp Maelstrom-3.0.6/netlogic/netplay.cpp
--- Maelstrom-3.0.6-orig/netlogic/netplay.cpp 2002-10-20 13:11:52 +0900
+++ Maelstrom-3.0.6/netlogic/netplay.cpp 2003-05-21 11:31:43 +0900
-670,7 +670,9
strcpy(message, "Waiting for players:");
for ( i=0; i<gNumPlayers; ++i ) {
if ( ! acked[i] )
- sprintf(&message[strlen(message)], " %d", i+1);
+ snprintf(&message[strlen(message)],
+ sizeof(message)-strlen(message),
+ " %d", i+1);
}
Message(message);
-725,7 +727,7
/* Check the player... */
if ( (i != gOurPlayer) && (netbuf[1] == gOurPlayer) ) {
/* Print message, sleep 3 seconds absolutely */
- sprintf(message,
+ snprintf(message, sizeof(message),
"Error: Another player (%d) thinks they are player 1!\r\n", i+1);
ErrorMessage(message);
/* Suck up retransmission packets */
diff -ur Maelstrom-3.0.6-orig/netscore.cpp Maelstrom-3.0.6/netscore.cpp
--- Maelstrom-3.0.6-orig/netscore.cpp 2001-07-23 12:25:17 +0900
+++ Maelstrom-3.0.6/netscore.cpp 2003-05-21 11:27:18 +0900
-59,7 +59,7
/* Send the scores */
crc = get_checksum(key, KEY_LEN);
- sprintf(netbuf, SCOREFMT, crc, high.name, high.score, high.wave);
+ snprintf(netbuf, sizeof(netbuf), SCOREFMT, crc, high.name, high.score, high.wave);
SDLNet_TCP_Send(remote, netbuf, strlen(netbuf));
n = SDLNet_TCP_Recv(remote, netbuf, 1024);
if ( n > 0 ) {
diff -ur Maelstrom-3.0.6-orig/screenlib/SDL_FrameBuf.cpp Maelstrom-3.0.6/screenlib/SDL_FrameBuf.cpp
--- Maelstrom-3.0.6-orig/screenlib/SDL_FrameBuf.cpp 2001-07-23 06:03:13 +0900
+++ Maelstrom-3.0.6/screenlib/SDL_FrameBuf.cpp 2003-05-21 11:31:01 +0900
-628,7 +628,7
found = 0;
for ( which=0; !found; ++which ) {
- sprintf(file, "%s%d.bmp", prefix, which);
+ snprintf(file, sizeof(file), "%s%d.bmp", prefix, which);
if ( ((fp=fopen(file, "r")) == NULL) &&
((fp=fopen(file, "w")) != NULL) ) {
found = 1;
diff -ur Maelstrom-3.0.6-orig/screenlib/SDL_FrameBuf.h Maelstrom-3.0.6/screenlib/SDL_FrameBuf.h
--- Maelstrom-3.0.6-orig/screenlib/SDL_FrameBuf.h 2000-09-25 02:55:39 +0900
+++ Maelstrom-3.0.6/screenlib/SDL_FrameBuf.h 2003-05-21 11:27:41 +0900
-165,7 +165,7
va_list ap;
va_start(ap, fmt);
- vsprintf(errbuf, fmt, ap);
+ vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
va_end(ap);
errstr = errbuf;
}
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]