URL:
  <http://gna.org/bugs/?21247>

                 Summary: fill_sprite_array() has no array bounds checks
                 Project: Freeciv
            Submitted by: jtn
            Submitted on: Sun Nov  3 14:08:48 2013
                Category: client
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: 
         Discussion Lock: Any
        Operating System: Any
         Planned Release: 

    _______________________________________________________

Details:

fill_sprite_array() and descendants have a pattern where they increment an
array pointer passed in a number of times and return how many times they did
it. There is no check that the array is big enough, nor any way of growing
it.

fill_sprite_array() is called from put_one_element(), which passes an array
tile_sprs[80].

It might be that this is big enough for all possible tilesets; it seems
likely, but without a detailed audit I can't say for sure.

It would be better if some idiom that will spot overflow is used. While this
code is frequently used, it is also complex, so I can't imagine the execution
overhead will be overwhelming.




    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?21247>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to