I think that the function PGNTagsStatic() in pgntags.c is unsafe. The
problem is that gameInfo->extraTags which can have any size is copied
without size control to a buffer which can overflow as the result. This
is rather serious as it is easy to construct a pgn file that can cause
the overflow.
You cannot have something of possibly unlimited size in a static buffer,
so I suggest that PGNTagsStatic is removed. PGNTags() can then allocate
a big eneogh buffer and do the work itself. PrintPGNTags() doesn't need
a buffer, but can print directly to the file.
The "guilty" function is strcat() which is used in many places, so it is
probably a good idea to check all uses of strcat.
However there is no reason to replace all occurences of strcat with
something else like it is done with strcpy(). I find it a little silly
to see calls to safeStrCpy instead of strcpy when you have just
allocated a new buffer of the required size, so strcpy would be
perfectly safe to use.
- [XBoard-devel] Buffer overflow Byrial Jensen
-
