Summary: fill_sprite_array() has no array bounds checks
Submitted by: jtn
Submitted on: Sun Nov 3 14:08:48 2013
Severity: 3 - Normal
Priority: 5 - Normal
Assigned to: None
Discussion Lock: Any
Operating System: Any
fill_sprite_array() and descendants have a pattern where they increment an
array pointer passed in a number of times and return how many times they did
it. There is no check that the array is big enough, nor any way of growing
fill_sprite_array() is called from put_one_element(), which passes an array
It might be that this is big enough for all possible tilesets; it seems
likely, but without a detailed audit I can't say for sure.
It would be better if some idiom that will spot overflow is used. While this
code is frequently used, it is also complex, so I can't imagine the execution
overhead will be overwhelming.
Reply to this item at:
Message sent via/by Gna!
Freeciv-dev mailing list