Date: Tue, 23 Apr 2002 14:52:10 -0700 (PDT) From: Niels Heinen <niels.heinen@ubizen.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/37400: The cosmo game contains unchecked buffers Message-ID: <200204232152.g3NLqAD92256@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 37400
>Category: ports
>Synopsis: The cosmo game contains unchecked buffers
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 23 15:00:03 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Niels Heinen
>Release: 4.5
>Organization:
>Environment:
FreeBSD lappie 4.5-STABLE FreeBSD 4.5-STABLE #0: Thu Apr 18 02:05:19 CEST 2002 root@lappie:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The cosmo game, which is installed setgid games can be cause
to segfault trought the -display and -bg parameters. Additionally,
during some test it tried to free() memory that was already given back
to the system.
>How-To-Repeat:
cosmo -display <A x 10000>
cosmo -bg <A x 10000>
>Fix:
--- cosmo2/setup.c Sat May 11 08:48:32 1996
+++ cosmo2-new/setup.c Tue Apr 23 23:37:10 2002
@@ -106,7 +106,8 @@
{
i++;
if(i>=ac) break;
- strcpy(display,av[i]);
+ strncpy(display,av[i],sizeof(display));
+ display[sizeof(display) - 1] = '\0';
}
else if(!strcmp(av[i],"-cmap"))
{
@@ -120,7 +121,8 @@
{
i++;
if(i>=ac) show_usage();
- strcpy(bgfn,av[i]);
+ strncpy(bgfn,av[i],sizeof(bgfn));
+ bgfn[sizeof(bgfn) - 1] = '\0';
}
else if(!strcmp(av[i],"-rough"))
{
@@ -139,7 +141,7 @@
{
i++;
if(i>=ac) show_usage();
- if(strcmp(av[i],"no")) strcpy(pad_dev,av[i]);
+ if(strcmp(av[i],"no")) strncpy(pad_dev,av[i],sizeof(pad_dev)); pad_dev[sizeof(pad_dev) - 1] = '\0';
else upad=0;
}
#endif
@@ -154,10 +156,14 @@
user.uid=getuid();
p=getpwuid(user.uid);
- strcpy(user.name,p->pw_name);
- strcpy(home_dir,p->pw_dir);
+ strncpy(user.name,p->pw_name,sizeof(user.name));
+ user.name[sizeof(user.name) - 1] = '\0';
+
+ strncpy(home_dir,p->pw_dir,sizeof(home_dir));
+ home_dir[sizeof(home_dir) -1] = '\0';
if( home_dir[strlen(home_dir)-1] != '/' ) strcat(home_dir,"/");
- strcpy(rc_file,home_dir);
+ strncpy(rc_file,home_dir,sizeof(rc_file));
+ rc_file[sizeof(rc_file) - 1 ] = '\0';
strcat(rc_file,".cosmorc");
}
@@ -195,14 +201,16 @@
show_error("Too Few Arguments",buf,line,2);
return;
}
- strcpy(colorname,p);
+ strncpy(colorname,p,sizeof(colorname));
+ colorname[sizeof(colorname) - 1] = '\0';
if( (p=getnword(buf,2))==NULL )
{
show_error("Too Few Arguments",buf,line,3);
return;
}
- strcpy(color,p);
+ strncpy(color,p,sizeof(color));
+ color[sizeof(color)] = '\0';
if( !strcmp(colorname,"Background") ) strcpy(colors[Back],color);
else if( !strcmp(colorname,"Foreground") ) strcpy(colors[Fore],color);
@@ -298,7 +306,8 @@
i=1;
while(p[i]!='/'&&p[i]!='\0') name[i-1]=p[i++];
name[i-1]='\0';
- if(i==1) strcpy(name,user.name);
+ if(i==1) strncpy(name,user.name,sizeof(name));
+ name[sizeof(name) -1] = '\0';
do
{
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204232152.g3NLqAD92256>