fix add_menu_coloring() buffer overrun

Fix 'Bug 2' where too long MENUCOLOR=string in run-time config file
could overflow a local buffer and clobber the stack.

Theoretically a menu coloring regular expression could require a
bigger buffer but I don't think we need to try to support that.
255 characters minus the amount needed to specify color and/or
attributes should be ample.

diff --git a/doc/fixes36.5 b/doc/fixes36.5
index 7ce10f27003b8b94a2edddaa4854ccf175337f52..c3cad8fe0ecebc3f1c96684006e556b9155f8d4f 100644 (file)
--- a/doc/fixes36.5
+++ b/doc/fixes36.5
@@ -1,4 +1,4 @@
-$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.1 $ $NHDT-Date: 1578971847 2020/01/14 03:17:27 $
+$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.2 $ $NHDT-Date: 1578972411 2020/01/14 03:26:51 $
 
 fixes36.5 contains a terse summary of changes made to 3.6.4 in order to
 produce 3.6.5 as well as any post-release fixes in binaries.
@@ -8,6 +8,7 @@ General Fixes and Modified Features
 -----------------------------------
 have string_for_opt() return empty_optstr on failure
 ensure existing callers of string_for_opt() check return value before using it
+fix potential buffer overflow in add_menu_coloring()
 
 
 Fixes to Post-3.6.4 Problems that Were Exposed Via git Repository

diff --git a/src/options.c b/src/options.c
index b77cda4350f24842d90096c7c97b538a3e4afd6a..3e2582a4ec760fb475442fb461b9ee85c373ad0f 100644 (file)
--- a/src/options.c
+++ b/src/options.c
@@ -1,4 +1,4 @@
-/* NetHack 3.6 options.c       $NHDT-Date: 1578971391 2020/01/14 03:09:51 $  $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.394 $ */
+/* NetHack 3.6 options.c       $NHDT-Date: 1578972408 2020/01/14 03:26:48 $  $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.395 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Michael Allison, 2008. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -1833,15 +1833,16 @@ int c, a;
 /* parse '"regex_string"=color&attr' and add it to menucoloring */
 boolean
 add_menu_coloring(tmpstr)
-char *tmpstr;
+char *tmpstr; /* never Null but could be empty */
 {
     int c = NO_COLOR, a = ATR_NONE;
     char *tmps, *cs, *amp;
     char str[BUFSZ];
 
-    Sprintf(str, "%s", tmpstr);
+    (void) strncpy(str, tmpstr, sizeof str - 1);
+    str[sizeof str - 1] = '\0';
 
-    if (!tmpstr || (cs = index(str, '=')) == 0) {
+    if ((cs = index(str, '=')) == 0) {
         config_error_add("Malformed MENUCOLOR");
         return FALSE;
     }