avoid more QBUFSZ buffer overflows

Several places were not using safe_qbuf or anything equivalent to avoid
overflowing a QBUFSZ buffer.  Add more uses plus one special case.  For
the current max lengths returned by xname(), I think this is
sufficient.  This addresses a reported buffer overflow for a
"thoroughly rusty thoroughly corroded helm of opposite alignment", plus more.

diff --git a/doc/fixes34.4 b/doc/fixes34.4
index 76a22c198e8b92d47e0f61b158dab2ebe268732a..5d09fea56563b4a984e3ae06c7dffa9242f25311 100644 (file)
--- a/doc/fixes34.4
+++ b/doc/fixes34.4
@@ -96,6 +96,7 @@ further digging of an existing hole finishes in a single turn
 only prefix shopkeeper names with "Mr." or "Ms." when not a personal name
 green slime should not affect noncorporeal monsters
 land mine explosion will destroy a drawbridge at same location
+avoid some more buffer overflows in query buffers containing object names
 
 
 Platform- and/or Interface-Specific Fixes

diff --git a/src/do_name.c b/src/do_name.c
index f534975b6205e90ed28405acb1a4ed8f950a5963..611d385bcddbafdf69a8e0a9e3da596172bcab3d 100644 (file)
--- a/src/do_name.c
+++ b/src/do_name.c
@@ -308,8 +308,11 @@ register struct obj *obj;
        const char *aname;
        short objtyp;
 
-       Sprintf(qbuf, "What do you want to name %s %s?",
-               is_plural(obj) ? "these" : "this", xname(obj));
+       Sprintf(qbuf, "What do you want to name %s ",
+               is_plural(obj) ? "these" : "this");
+       Sprintf(eos(qbuf), "%s?",
+               safe_qbuf(qbuf, sizeof("?"),
+                         xname(obj), simple_typename(obj->otyp), ""));
        getlin(qbuf, buf);
        if(!*buf || *buf == '\033')     return;
        /* strip leading and trailing spaces; unnames item if all spaces */

diff --git a/src/eat.c b/src/eat.c
index 99aed82194dc4f8f7d2a54c0dcbe2728ac04359a..212bc3591c73a2ece05d0ad6df35aecffc9e6d77 100644 (file)
--- a/src/eat.c
+++ b/src/eat.c
@@ -2552,19 +2552,21 @@ floorfood(verb,corpsecheck)     /* get food from floor or pack */
 
        /* Is there some food (probably a heavy corpse) here on the ground? */
        for (otmp = level.objects[u.ux][u.uy]; otmp; otmp = otmp->nexthere) {
-               if(corpsecheck ?
+           if (corpsecheck ?
                (otmp->otyp==CORPSE && (corpsecheck == 1 || tinnable(otmp))) :
                    feeding ? (otmp->oclass != COIN_CLASS && is_edible(otmp)) :
                                                otmp->oclass==FOOD_CLASS) {
-                       Sprintf(qbuf, "There %s %s here; %s %s?",
-                               otense(otmp, "are"),
-                               doname(otmp), verb,
-                               (otmp->quan == 1L) ? "it" : "one");
-                       if((c = yn_function(qbuf,ynqchars,'n')) == 'y')
-                               return(otmp);
-                       else if(c == 'q')
-                               return((struct obj *) 0);
-               }
+               Sprintf(qbuf, "There %s ", otense(otmp, "are"));
+               Sprintf(eos(qbuf), "%s here; %s %s?",
+                       safe_qbuf(qbuf, sizeof(" here;  ...?") + strlen(verb),
+                                 doname(otmp), simple_typename(otmp->otyp),
+                                 "something"),
+                       verb, (otmp->quan == 1L) ? "it" : "one");
+               if ((c = yn_function(qbuf,ynqchars,'n')) == 'y')
+                   return(otmp);
+               else if (c == 'q')
+                   return((struct obj *) 0);
+           }
        }
 
  skipfloor:

diff --git a/src/invent.c b/src/invent.c
index b2950569f00cb08b159e738820d89348426395c9..3061ce41cf05715e854c4d5e4266a03c0e41f1c7 100644 (file)
--- a/src/invent.c
+++ b/src/invent.c
@@ -1367,7 +1367,7 @@ register int FDECL((*fn),(OBJ_P)), FDECL((*ckfn),(OBJ_P));
        register char sym, ilet;
        register int cnt = 0, dud = 0, tmp;
        boolean takeoff, nodot, ident, ininv;
-       char qbuf[QBUFSZ];
+       char qbuf[BUFSZ];
 
        takeoff = taking_off(word);
        ident = !strcmp(word, "identify");
@@ -1390,10 +1390,17 @@ nextclass:
                if (ident && !not_fully_identified(otmp)) continue;
                if (ckfn && !(*ckfn)(otmp)) continue;
                if (!allflag) {
-                       Strcpy(qbuf, !ininv ? doname(otmp) :
-                               xprname(otmp, (char *)0, ilet, !nodot, 0L, 0L));
-                       Strcat(qbuf, "?");
-                       sym = (takeoff || ident || otmp->quan < 2L) ?
+                   Strcpy(qbuf, !ininv ? doname(otmp) :
+                          xprname(otmp, (char *)0, ilet, !nodot, 0L, 0L));
+                   /* this code seemed too complex to use safe_qbuf */
+                   if (strlen(qbuf) > QBUFSZ - 20) {
+                       Strcpy(qbuf,
+                              !ininv ? an(simple_typename(otmp->otyp)) :
+                              xprname(otmp, simple_typename(otmp->otyp),
+                                      ilet, !nodot, 0L, 0L));
+                   }
+                   Strcat(qbuf, "?");
+                   sym = (takeoff || ident || otmp->quan < 2L) ?
                                nyaq(qbuf) : nyNaq(qbuf);
                }
                else    sym = 'y';
@@ -2999,17 +3006,19 @@ display_cinventory(obj)
 register struct obj *obj;
 {
        struct obj *ret;
-       char tmp[QBUFSZ];
+       char qbuf[QBUFSZ];
        int n;
        menu_item *selected = 0;
 
-       Sprintf(tmp,"Contents of %s:", doname(obj));
+       Sprintf(qbuf,"Contents of %s:",
+               safe_qbuf("", sizeof("Contents of :"),
+                         doname(obj), simple_typename(obj->otyp), ""));
 
        if (obj->cobj) {
-           n = query_objlist(tmp, obj->cobj, INVORDER_SORT, &selected,
+           n = query_objlist(qbuf, obj->cobj, INVORDER_SORT, &selected,
                            PICK_NONE, allow_all);
        } else {
-           invdisp_nothing(tmp, "(empty)");
+           invdisp_nothing(qbuf, "(empty)");
            n = 0;
        }
        if (n > 0) {