Package: tome
Version: 2.4
Severity: normal
Dear Maintainer,
In line 2519 and 2520 of src/cmd1.cc,
(2519) flavored_attack((100 * k) / m_ptr->maxhp, buff);
(2520) msg_format(buff, m_name);
in function floavored_attack(int percent, char *output) in line 1792 of the
same file, get_rnd_line(...) is called.
(1792) get_rnd_line("dam_none.txt", output);
inside get_rnd_line(const char *file_name, char *output) in line 5590 in file
src/file.cc, my_fgets(...) is called.
(5590) if (0 != my_fgets(fp, buf, 80))
...
(5601) strcpy(output, buf)
inside my_fgets(FILE *fff, char *buf, ...) in line 301 in file src/util.cc,
(301) int c = fgetc(fff);
...
(350) buf[i++] = c;
Thus, the second argumnet in my_fgets() becomes an integer that is read from
external source,
and recursively backtracking through function calls,
variable buff in file src/cmd1.cc in line 2519 is an integer that is read from
external source.
in line 2520 in src/cmd1.cc, function msg_format(buff, m_name) is called, with
the first input as 'buff'.
In line 1983 in file src/util.cc, in function msg_format(cptr fmt, ...)
vstrnfmt(...) is called with the first argument being 'buff'.
(1983) vstrnfmt(buf, 1024, fmt, ...)
in file src/z-form.c in line 214,
(214) s = fmt;
...
(377) aux[q++] = *s++;
...
(460) sprintf(tmp, aux, arg);
to sum up, in line 460, the second argument of sprintf aux is read from
external source and may cause formatstring bug.
-- System Information:
Debian Release: 11.0
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-19041-Microsoft
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
