Hi Henry, Thanks for your report. The details you provide are very much appreciated. I see the bug you pinpoint and I will fix it for the next release of GNU Chess.
Regards, Antonio Ceballos On Wed, Aug 14, 2019 at 4:48 PM Henry Ballentine via Bug-gnu-chess < [email protected]> wrote: > Hello, > > I found a stack buffer overflow in the cmd_load function in > frontend/cmd.cc lines 318-322 in gnuchess 6.2.5. This occurs when trying to > copy the contents of the loaded file to send to the game engine. > > 318 while ( epdline[i] != '\n' ) { > > 319 data[i+9] = epdline[i]; > > 320 ++i; > > 321 printf("%d %c 0x%X\n", i, data[i+9], epdline[i]); > > 322 } > > When parsing a valid file with no endlines in it, if the filename is too > long it overflows the data buffer because the copying while loop is looking > for newlines, not nulls to terminate the loop. For example, inputting: > > load > /path/to/input/file/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtest2 > > File contents: > > r5k1/p1p3p1/3bqr2/3pN2p/3ppB2/P7/1P3P1Q/R3R1K1 b - - bm 1; id > 1;\8Ar5kAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA… (~16Kb of A) > > Results in a stack where epdline has overflown into the buffer for > handling user input, the base pointer, and the return address on the stack. > > Regards, > > Henry Ballentine > > > _______________________________________________ > Bug-gnu-chess mailing list > [email protected] > https://lists.gnu.org/mailman/listinfo/bug-gnu-chess >
_______________________________________________ Bug-gnu-chess mailing list [email protected] https://lists.gnu.org/mailman/listinfo/bug-gnu-chess
