Bug#297644: icebreaker: crashes when high score names contain "%n%n%n%n"

Tue, 01 Mar 2005 16:53:07 -0800 

Subject: icebreaker: crashes when high score names contain "%n%n%n%n"
Package: icebreaker
Version: 1.21-9
Severity: normal
Tags: patch

Hello,

icebreaker crashes when high score names contain strings like "%n%n%n%n". It
is caused by a bunch of bad snprintf() calls in hiscore.c. You can test the bug
by playing well enough to reach the high score table and then entering
"%n%n%n%n" as your name. I have attached a patch.

// Ulf H�rnhammar

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages icebreaker depends on:
ii  libc6         2.3.2.ds1-20               GNU C Library: Shared libraries an
ii  libsdl-mixer1 1.2.6-1                    mixer library for Simple DirectMed
ii  libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer

-- no debconf information


--- hiscore.c.old       2001-07-30 03:28:37.000000000 +0200
+++ hiscore.c   2005-03-02 00:55:24.000000000 +0100
@@ -83,7 +83,7 @@ void readhiscores()
        // ok, so now, we can copy things over in the proper sorted order
        for (i=0;i<HISCORENUM;i++)
        {
-               snprintf(hiscorename[i],50,temphiscorename[arrayindex[i]]);
+               snprintf(hiscorename[i],50,"%s",temphiscorename[arrayindex[i]]);
                hiscoreval[i]=temphiscoreval[arrayindex[i]];
        }
 
@@ -109,13 +109,13 @@ void addhiscore(char * username, long sc
        // make sure the temp array contains the right data
        for (i=0;i<HISCORENUM;i++)
        {
-               snprintf(temphiscorename[i],50,hiscorename[i]);
+               snprintf(temphiscorename[i],50,"%s",hiscorename[i]);
                temphiscoreval[i]=hiscoreval[i];
        }
        
        // and toss in the new data 
        //(this is why these arrays are size HISCORENUM+1)
-       snprintf(temphiscorename[HISCORENUM],50,username);
+       snprintf(temphiscorename[HISCORENUM],50,"%s",username);
        temphiscoreval[HISCORENUM]=score;
 
        // fill the "helper" array. 
@@ -129,7 +129,7 @@ void addhiscore(char * username, long sc
        // and take the top ones back.
        for (i=0;i<HISCORENUM;i++)
        {
-               snprintf(hiscorename[i],50,temphiscorename[arrayindex[i]]); 
+               
snprintf(hiscorename[i],50,"%s",temphiscorename[arrayindex[i]]); 
                hiscoreval[i]=temphiscoreval[arrayindex[i]];
        }

Reply via email to