Hello,
I found a stack buffer overflow in the cmd_load function in frontend/cmd.cc
lines 318-322 in gnuchess 6.2.5. This occurs when trying to copy the contents
of the loaded file to send to the game engine.
318 while ( epdline[i] != '\n' ) {
319 data[i+9] = epdline[i];
320 ++i;
321 printf("%d %c 0x%X\n", i, data[i+9], epdline[i]);
322 }
When parsing a valid file with no endlines in it, if the filename is too long
it overflows the data buffer because the copying while loop is looking for
newlines, not nulls to terminate the loop. For example, inputting:
load
/path/to/input/file/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtest2
File contents:
r5k1/p1p3p1/3bqr2/3pN2p/3ppB2/P7/1P3P1Q/R3R1K1 b - - bm 1; id
1;\8Ar5kAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA… (~16Kb of A)
Results in a stack where epdline has overflown into the buffer for handling
user input, the base pointer, and the return address on the stack.
Regards,
Henry Ballentine_______________________________________________
Bug-gnu-chess mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/bug-gnu-chess
