Advanced Rogue family: fix some potential buffer overflows.

Some code for determining the score file location assumed that PATH_MAX would be less than 1024, which cannot be guaranteed. Advanced Rogue 5 and 7, and XRogue, have had the buffers for the file name enlarged. UltraRogue never called the functions, so the code has been deleted instead.
2021-05-03 19:05:37 -04:00 · 2021-05-03 19:05:37 -04:00 · 3dfd8fd09b
commit 3dfd8fd09b
parent 2b6d8bcb77
13 changed files with 51 additions and 78 deletions
--- a/arogue5/main.c
+++ b/arogue5/main.c
@ -61,6 +61,7 @@ main(int argc, char *argv[], char *envp[])
     * get home and options from environment
     */
    strncpy(home,md_gethomedir(),LINELEN);
+    home[LINELEN-1] = '\0';

 #ifdef SAVEDIR
    if (argc >= 3 && !strcmp(argv[1], "-n")) {
@ -82,8 +83,8 @@ main(int argc, char *argv[], char *envp[])
    }

 #ifdef SCOREFILE
-    strncpy(score_file, SCOREFILE, LINELEN);
-    score_file[LINELEN - 1] = '\0';
+    strncpy(score_file, SCOREFILE, PATH_MAX);
+    score_file[PATH_MAX - 1] = '\0';
 #else
    /* Get default score file */
    strcpy(score_file, roguedir);
--- a/arogue5/mdport.c
+++ b/arogue5/mdport.c
@ -418,7 +418,7 @@ directory_exists(char *dirname)
 char *
 md_getroguedir(void)
 {
-    static char path[1024];
+    static char path[PATH_MAX-20];
    char *end,*home;

    if ( (home = getenv("ROGUEHOME")) != NULL)
@ -427,13 +427,17 @@ md_getroguedir(void)
        {
            strncpy(path, home, PATH_MAX - 20);

-            end = &path[strlen(path)-1];
+            if (path[PATH_MAX-21] == '\0')
+            {

-            while( (end >= path) && ((*end == '/') || (*end == '\\')))
-                *end-- = '\0';
+                end = &path[strlen(path)-1];

-            if (directory_exists(path))
-                return(path);
+                while( (end >= path) && ((*end == '/') || (*end == '\\')))
+                    *end-- = '\0';
+
+                if (directory_exists(path))
+                    return(path);
+            }
        }
    }

--- a/arogue5/options.c
+++ b/arogue5/options.c
@ -17,6 +17,7 @@
 #include "curses.h"
 #include <ctype.h>
 #include <string.h>
+#include <limits.h>
 #include "rogue.h"

 #define	NUM_OPTS	(sizeof optlist / sizeof (OPTION))
@ -91,7 +92,7 @@ int get_restr(char *optstr, WINDOW *win)
 /* For the score file, which must be opened. */
 int get_score(char *optstr, WINDOW *win)
 {
-    char old_score_file[LINELEN];
+    char old_score_file[PATH_MAX];
    int status;

    if (use_savedir)
--- a/arogue5/rogue.c
+++ b/arogue5/rogue.c
@ -13,6 +13,7 @@
 */

 #include <ctype.h>
+#include <limits.h>
 #include "curses.h"
 #include "rogue.h"

@ -85,7 +86,7 @@ char *ws_guess[MAXSTICKS];		/* Players guess at what wand is */
 char *m_guess[MAXMM];			/* Players guess at what MM is */
 char *ws_type[MAXSTICKS];		/* Is it a wand or a staff */
 char file_name[256];			/* Save file name */
-char score_file[LINELEN];		/* Score file name */
+char score_file[PATH_MAX];		/* Score file name */
 char home[LINELEN];			/* User's home directory */
 WINDOW *cw;				/* Window that the player sees */
 WINDOW *hw;				/* Used for the help command */