W. None wrote:
> Hello there,
>
> It appears there is a buffer overflow in GenericDeck_maskToString .
> Here, A fixed buffer int cards[50] is allocated. But of course, a deck
> might have some more cards, up to 54 with two jokers... Similarly in
> the printMask later on.
>
deck_astud.h:32:#define AStudDeck_N_CARDS 32
deck_joker.h:26:#define JokerDeck_N_CARDS 53
deck_std.h:32:#define StdDeck_N_CARDS 52
Therefore 50 is indeed not enough. Nice catch :-)
Your patch was applied and will show in the next release.
Thanks for your contribution.
> I don't think this is exploitable but might result in some nasty
> crashes, so I'd say, better to err on the safe side:
>
> Index: deck.c
> ===================================================================
> --- deck.c (revision 3802)
> +++ deck.c (working copy)
> @@ -24,7 +24,7 @@
>
> int
> GenericDeck_maskToString(Deck *deck, void *cardMask, char *outString) {
> - int cards[50], n, i;
> + int cards[100], n, i;
> char *p;
>
> n = (*deck->maskToCards)(cardMask, cards);
> @@ -42,7 +42,7 @@
>
> int
> GenericDeck_printMask(Deck *deck, void *cardMask) {
> - char outString[150];
> + char outString[300];
> int r;
>
> r = GenericDeck_maskToString(deck, cardMask, outString);
>
>
> Greetings,
> Wladimir
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pokersource-users mailing list
> [email protected]
> https://mail.gna.org/listinfo/pokersource-users
>
_______________________________________________
Pokersource-users mailing list
[email protected]
https://mail.gna.org/listinfo/pokersource-users
