Advanced Rogue family: fix some potential buffer overflows.

Some code for determining the score file location assumed that PATH_MAX would be less than 1024, which cannot be guaranteed. Advanced Rogue 5 and 7, and XRogue, have had the buffers for the file name enlarged. UltraRogue never called the functions, so the code has been deleted instead.
2021-05-03 19:05:37 -04:00 · 2021-05-03 19:05:37 -04:00 · 3dfd8fd09b
commit 3dfd8fd09b
parent 2b6d8bcb77
13 changed files with 51 additions and 78 deletions
--- a/arogue5/main.c
+++ b/arogue5/main.c
@ -61,6 +61,7 @@ main(int argc, char *argv[], char *envp[])
     * get home and options from environment
     */
    strncpy(home,md_gethomedir(),LINELEN);
+    home[LINELEN-1] = '\0';

 #ifdef SAVEDIR
    if (argc >= 3 && !strcmp(argv[1], "-n")) {
@ -82,8 +83,8 @@ main(int argc, char *argv[], char *envp[])
    }

 #ifdef SCOREFILE
-    strncpy(score_file, SCOREFILE, LINELEN);
-    score_file[LINELEN - 1] = '\0';
+    strncpy(score_file, SCOREFILE, PATH_MAX);
+    score_file[PATH_MAX - 1] = '\0';
 #else
    /* Get default score file */
    strcpy(score_file, roguedir);
--- a/arogue5/mdport.c
+++ b/arogue5/mdport.c
@ -418,7 +418,7 @@ directory_exists(char *dirname)
 char *
 md_getroguedir(void)
 {
-    static char path[1024];
+    static char path[PATH_MAX-20];
    char *end,*home;

    if ( (home = getenv("ROGUEHOME")) != NULL)
@ -427,13 +427,17 @@ md_getroguedir(void)
        {
            strncpy(path, home, PATH_MAX - 20);

-            end = &path[strlen(path)-1];
+            if (path[PATH_MAX-21] == '\0')
+            {

-            while( (end >= path) && ((*end == '/') || (*end == '\\')))
-                *end-- = '\0';
+                end = &path[strlen(path)-1];

-            if (directory_exists(path))
-                return(path);
+                while( (end >= path) && ((*end == '/') || (*end == '\\')))
+                    *end-- = '\0';
+
+                if (directory_exists(path))
+                    return(path);
+            }
        }
    }

--- a/arogue5/options.c
+++ b/arogue5/options.c
@ -17,6 +17,7 @@
 #include "curses.h"
 #include <ctype.h>
 #include <string.h>
+#include <limits.h>
 #include "rogue.h"

 #define	NUM_OPTS	(sizeof optlist / sizeof (OPTION))
@ -91,7 +92,7 @@ int get_restr(char *optstr, WINDOW *win)
 /* For the score file, which must be opened. */
 int get_score(char *optstr, WINDOW *win)
 {
-    char old_score_file[LINELEN];
+    char old_score_file[PATH_MAX];
    int status;

    if (use_savedir)
--- a/arogue5/rogue.c
+++ b/arogue5/rogue.c
@ -13,6 +13,7 @@
 */

 #include <ctype.h>
+#include <limits.h>
 #include "curses.h"
 #include "rogue.h"

@ -85,7 +86,7 @@ char *ws_guess[MAXSTICKS];		/* Players guess at what wand is */
 char *m_guess[MAXMM];			/* Players guess at what MM is */
 char *ws_type[MAXSTICKS];		/* Is it a wand or a staff */
 char file_name[256];			/* Save file name */
-char score_file[LINELEN];		/* Score file name */
+char score_file[PATH_MAX];		/* Score file name */
 char home[LINELEN];			/* User's home directory */
 WINDOW *cw;				/* Window that the player sees */
 WINDOW *hw;				/* Used for the help command */
--- a/arogue7/main.c
+++ b/arogue7/main.c
@ -16,6 +16,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <signal.h>
+#include <limits.h>
 #include <errno.h>
 #ifdef BSD
 #include <sys/time.h>
@ -59,6 +60,7 @@ main(int argc, char *argv[], char *envp[])
     */

    strncpy(home, md_gethomedir(), LINELEN);
+    home[LINELEN-1] = '\0';

    /* Get default save file */
    strcpy(file_name, home);
@ -66,8 +68,8 @@ main(int argc, char *argv[], char *envp[])

    /* Get default score file */
 #ifdef SCOREFILE
-    strncpy(score_file, SCOREFILE, LINELEN);
-    score_file[LINELEN-1] = '\0';
+    strncpy(score_file, SCOREFILE, PATH_MAX);
+    score_file[PATH_MAX-1] = '\0';
 #else
    strcpy(score_file, md_getroguedir());

--- a/arogue7/mdport.c
+++ b/arogue7/mdport.c
@ -421,7 +421,7 @@ directory_exists(char *dirname)
 char *
 md_getroguedir(void)
 {
-    static char path[1024];
+    static char path[PATH_MAX-20];
    char *end,*home;

    if ( (home = getenv("ROGUEHOME")) != NULL)
@ -430,13 +430,16 @@ md_getroguedir(void)
        {
            strncpy(path, home, PATH_MAX - 20);

-            end = &path[strlen(path)-1];
+            if (path[PATH_MAX-21] == '\0')
+            {
+                end = &path[strlen(path)-1];

-            while( (end >= path) && ((*end == '/') || (*end == '\\')))
-                *end-- = '\0';
+                while( (end >= path) && ((*end == '/') || (*end == '\\')))
+                    *end-- = '\0';

-            if (directory_exists(path))
-                return(path);
+                if (directory_exists(path))
+                    return(path);
+            }
        }
    }

--- a/arogue7/options.c
+++ b/arogue7/options.c
@ -21,6 +21,7 @@

 #include "curses.h"
 #include <ctype.h>
+#include <limits.h>
 #include <string.h>
 #include "rogue.h"

@ -491,7 +492,7 @@ get_str_prot(char *opt, WINDOW *win)
 int
 get_score(char *optstr, WINDOW *win)
 {
-    char old_score_file[LINELEN];
+    char old_score_file[PATH_MAX];
    int status;

    if (use_savedir)
--- a/arogue7/rogue.c
+++ b/arogue7/rogue.c
@ -13,6 +13,7 @@
 */

 #include <ctype.h>
+#include <limits.h>
 #include "curses.h"
 #include "rogue.h"
 #ifdef PC7300
@ -102,7 +103,7 @@ char *ws_guess[MAXSTICKS];		/* Players guess at what wand is */
 char *m_guess[MAXMM];			/* Players guess at what MM is */
 char *ws_type[MAXSTICKS];		/* Is it a wand or a staff */
 char file_name[LINELEN];		/* Save file name */
-char score_file[LINELEN];		/* Score file name */
+char score_file[PATH_MAX];		/* Score file name */
 char home[LINELEN];			/* User's home directory */
 WINDOW *cw;				/* Window that the player sees */
 WINDOW *hw;				/* Used for the help command */
--- a/urogue/mdport.c
+++ b/urogue/mdport.c
@ -401,54 +401,6 @@ md_shellescape()
 #endif
 }

-int
-directory_exists(char *dirname)
-{
-    struct stat sb;
-
-    if (stat(dirname, &sb) == 0) /* path exists */
-        return (sb.st_mode & S_IFDIR);
-
-    return(0);
-}
-
-char *
-md_getroguedir()
-{
-    static char path[1024];
-    char *end,*home;
-
-    if ( (home = getenv("ROGUEHOME")) != NULL)
-    {
-        if (*home)
-        {
-            strncpy(path, home, PATH_MAX - 20);
-
-            end = &path[strlen(path)-1];
-
-            while( (end >= path) && ((*end == '/') || (*end == '\\')))
-                *end-- = '\0';
-
-            if (directory_exists(path))
-                return(path);
-        }
-    }
-
-    if (directory_exists("/var/games/roguelike"))
-        return("/var/games/roguelike");
-    if (directory_exists("/var/lib/roguelike"))
-        return("/var/lib/roguelike");
-    if (directory_exists("/var/roguelike"))
-        return("/var/roguelike");
-    if (directory_exists("/usr/games/lib"))
-        return("/usr/games/lib");
-    if (directory_exists("/games/roguelik"))
-        return("/games/roguelik");
-    if (directory_exists(md_gethomedir()))
-	return(md_gethomedir());
-    return("");
-}
-
 char *
 md_getrealname(int uid)
 {
--- a/xrogue/main.c
+++ b/xrogue/main.c
@ -20,6 +20,7 @@
 #include <string.h>
 #include <curses.h>
 #include <signal.h>
+#include <limits.h>
 #include <time.h>

 #include "mach_dep.h"
@ -44,6 +45,7 @@ main(int argc, char *argv[], char *envp[])
     */

    strncpy(home, md_gethomedir(), LINELEN);
+    home[LINELEN-1] = '\0';

    /* Get default save file */
    strcpy(file_name, home);
@ -51,8 +53,8 @@ main(int argc, char *argv[], char *envp[])

    /* Get default score file */
 #ifdef SCOREFILE
-    strncpy(score_file, SCOREFILE, LINELEN);
-    score_file[LINELEN-1] = '\0';
+    strncpy(score_file, SCOREFILE, PATH_MAX);
+    score_file[PATH_MAX-1] = '\0';
 #else
    strcpy(score_file, md_getroguedir());

--- a/xrogue/options.c
+++ b/xrogue/options.c
@ -24,6 +24,7 @@
 #include <curses.h>
 #include <ctype.h>
 #include <string.h>
+#include <limits.h>
 #include "rogue.h"

 #define NUM_OPTS        (sizeof optlist / sizeof (OPTION))
@ -524,7 +525,7 @@ get_str_prot(char *opt, WINDOW *win)
 int
 get_score(char *optstr, WINDOW *win)
 {
-    char old_score_file[LINELEN];
+    char old_score_file[PATH_MAX];
    int status;

    if (use_savedir)
--- a/xrogue/rogue.c
+++ b/xrogue/rogue.c
@ -18,6 +18,7 @@

 #include <ctype.h>
 #include <curses.h>
+#include <limits.h>
 #include "rogue.h"

 /*
@ -90,7 +91,7 @@ char *ws_guess[MAXSTICKS];              /* Players guess at what wand is */
 char *m_guess[MAXMM];                   /* Players guess at what MM is */
 char *ws_type[MAXSTICKS];               /* Is it a wand or a staff */
 char file_name[LINELEN];                /* Save file name */
-char score_file[LINELEN];               /* Score file name */
+char score_file[PATH_MAX];              /* Score file name */
 char home[LINELEN];                     /* User's home directory */
 WINDOW *cw;                             /* Window that the player sees */
 WINDOW *hw;                             /* Used for the help command */
--- a/xrogue/state.c
+++ b/xrogue/state.c
@ -3301,7 +3301,7 @@ directory_exists(char *dirname)
 char *
 md_getroguedir(void)
 {
-    static char path[1024];
+    static char path[PATH_MAX-20];
    char *end,*home;

    if ( (home = getenv("ROGUEHOME")) != NULL)
@ -3310,14 +3310,17 @@ md_getroguedir(void)
        {
            strncpy(path, home, PATH_MAX - 20);

-            end = &path[strlen(path)-1];
+            if (path[PATH_MAX-21] == '\0')
+            {
+                end = &path[strlen(path)-1];


-            while( (end >= path) && ((*end == '/') || (*end == '\\')))
-                *end-- = '\0';
+                while( (end >= path) && ((*end == '/') || (*end == '\\')))
+                    *end-- = '\0';

-            if (directory_exists(path))
-                return(path);
+                if (directory_exists(path))
+                    return(path);
+            }
        }
    }