Summary: fill_sprite_array() has no array bounds checks
                 Project: Freeciv
            Submitted by: jtn
            Submitted on: Sun Nov  3 14:08:48 2013
                Category: client
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: Any
         Planned Release: 



fill_sprite_array() and descendants have a pattern where they increment an
array pointer passed in a number of times and return how many times they did
it. There is no check that the array is big enough, nor any way of growing

fill_sprite_array() is called from put_one_element(), which passes an array

It might be that this is big enough for all possible tilesets; it seems
likely, but without a detailed audit I can't say for sure.

It would be better if some idiom that will spot overflow is used. While this
code is frequently used, it is also complex, so I can't imagine the execution
overhead will be overwhelming.


Reply to this item at:


  Message sent via/by Gna!

Freeciv-dev mailing list

Reply via email to