From: PatR Date: Wed, 4 Mar 2020 09:58:22 +0000 (-0800) Subject: corpse_xname() fix X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=12c2f84f64d0550fc0531dc9834fab358c85e961;p=nethack corpse_xname() fix Potential write out of bounds, in front of the block of obufs. Not exploitable but could conceivably trigger a crash. --- diff --git a/doc/fixes37.0 b/doc/fixes37.0 index 7163e30ac..ebce6640a 100644 --- a/doc/fixes37.0 +++ b/doc/fixes37.0 @@ -1,4 +1,4 @@ -$NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.117 $ $NHDT-Date: 1583282760 2020/03/04 00:46:00 $ +$NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.118 $ $NHDT-Date: 1583315888 2020/03/04 09:58:08 $ General Fixes and Modified Features ----------------------------------- @@ -64,6 +64,8 @@ randomly choosing role could lead to crash via segfault if eel bite attack caused hero to move (killed + rehumanized + crawled out of water), its grab attack could succeed even if no longer adjacent invalid status highlight color could be maliciously used to corrupt memory +formatting corpse names used internal buffers differently from formatting + other objects and could potentially clobber memory Fixes to 3.7.0-x Problems that Were Exposed Via git Repository diff --git a/src/objnam.c b/src/objnam.c index f1800e2b0..b8bae7804 100644 --- a/src/objnam.c +++ b/src/objnam.c @@ -1,4 +1,4 @@ -/* NetHack 3.7 objnam.c $NHDT-Date: 1580070220 2020/01/26 20:23:40 $ $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.291 $ */ +/* NetHack 3.7 objnam.c $NHDT-Date: 1583315888 2020/03/04 09:58:08 $ $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.293 $ */ /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */ /*-Copyright (c) Robert Patrick Rankin, 2011. */ /* NetHack may be freely redistributed. See license for details. */ @@ -1374,7 +1374,8 @@ struct obj *otmp; const char *adjective; unsigned cxn_flags; /* bitmask of CXN_xxx values */ { - char *nambuf = nextobuf(); + /* some callers [aobjnam()] rely on prefix area that xname() sets aside */ + char *nambuf = nextobuf() + PREFIX; int omndx = otmp->corpsenm; boolean ignore_quan = (cxn_flags & CXN_SINGULAR) != 0, /* suppress "the" from "the unique monster corpse" */ @@ -1525,8 +1526,7 @@ struct obj *obj; /* format the object */ if (obj->otyp == CORPSE) { - buf = nextobuf(); - Strcpy(buf, corpse_xname(obj, (const char *) 0, CXN_NORMAL)); + buf = corpse_xname(obj, (const char *) 0, CXN_NORMAL); } else if (obj->otyp == SLIME_MOLD) { /* concession to "most unique deaths competition" in the annual devnull tournament, suppress player supplied fruit names because