From: PatR <rankin@nethack.org>
Date: Wed, 4 Mar 2020 00:46:04 +0000 (-0800)
Subject: match_str2clr() fix
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cb18f603310f14b9811c693e07ad6b669663100f;p=nethack

match_str2clr() fix

Integrity fix.  Make sure color values obtained via atoi() are sane
so that use as array indices can't go out of bounds.
---

diff --git a/doc/fixes37.0 b/doc/fixes37.0
index b7b63c1fd..7163e30ac 100644
--- a/doc/fixes37.0
+++ b/doc/fixes37.0
@@ -1,4 +1,4 @@
-$NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.116 $ $NHDT-Date: 1583193505 2020/03/02 23:58:25 $
+$NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.117 $ $NHDT-Date: 1583282760 2020/03/04 00:46:00 $
 
 General Fixes and Modified Features
 -----------------------------------
@@ -63,6 +63,7 @@ display wasn't updating immediately after toggling hilite_pet option
 randomly choosing role could lead to crash via segfault
 if eel bite attack caused hero to move (killed + rehumanized + crawled out
 	of water), its grab attack could succeed even if no longer adjacent
+invalid status highlight color could be maliciously used to corrupt memory
 
 
 Fixes to 3.7.0-x Problems that Were Exposed Via git Repository
diff --git a/src/options.c b/src/options.c
index f310d00c7..e4532de29 100644
--- a/src/options.c
+++ b/src/options.c
@@ -1,4 +1,4 @@
-/* NetHack 3.7	options.c	$NHDT-Date: 1582748890 2020/02/26 20:28:10 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.451 $ */
+/* NetHack 3.7	options.c	$NHDT-Date: 1583282760 2020/03/04 00:46:00 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.457 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Michael Allison, 2008. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -6529,12 +6529,13 @@ char *str;
             c = colornames[i].color;
             break;
         }
-    if (i == SIZE(colornames) && (*str >= '0' && *str <= '9'))
+    if (i == SIZE(colornames) && digit(*str))
         c = atoi(str);
 
-    if (c == CLR_MAX)
-        config_error_add("Unknown color '%s'", str);
-
+    if (c < 0 || c >= CLR_MAX) {
+        config_error_add("Unknown color '%.60s'", str);
+        c = CLR_MAX; /* "none of the above" */
+    }
     return c;
 }
 
@@ -6565,7 +6566,7 @@ boolean complain;
         }
 
     if (a == -1 && complain)
-        config_error_add("Unknown text attribute '%s'", str);
+        config_error_add("Unknown text attribute '%.50s'", str);
 
     return a;
 }