Bug#440124: Buffer overflow in ONScripterLabel_rmenu.cpp

Wed, 29 Aug 2007 17:33:43 -0700 

Package: onscripter
Version: 0.0.20070826a-1
Severity: normal

In ONScripterLabel_rmenu.cpp, in ONScripterLabel::executeSystemLoad(),
the following code has a buffer overflow when defined(ENABLE_1BYTE_CHAR)
&& defined(FORCE_1BYTE_CHAR):

        char *buffer = new char[ strlen( save_item_name ) + 30 + 1 ];

        for ( unsigned int i=1 ; i<=num_save_file ; i++ ){
            searchSaveFile( save_file_info, i );
            menu_font.setXY( (menu_font.num_xy[0] - (strlen( save_item_name ) / 
2 + 15) ) / 2 );

            if ( save_file_info.valid ){
                sprintf( buffer, MESSAGE_SAVE_EXIST,
                         save_item_name,
                         save_file_info.sjis_no,
                         save_file_info.sjis_month,
                         save_file_info.sjis_day,
                         save_file_info.sjis_hour,
                         save_file_info.sjis_minute );
                nofile_flag = false;

MESSAGE_SAVE_EXIST is 21 characters, not counting formatting strings and the
NUL terminator. Each of the sjis_* fields may be up to four characters,
making for 41, not 30 characters.

I have observed this behavior causing crashes in copies of onscripter that I
have built myself; I've also reported it to upstream (with a patch) but
it has evidently not been applied.


My patch is as follows; it's a bit brute force but allows enough space
for the sprintf to be safe:


--- 
onscripter-insani_20060724/build-tree/onscripter-20060724-insani/ONScripterLabel_rmenu.cpp
  2006-06-22 00:16:52.000000000 -0400
+++ 
onscripter-insani_20060724.new/build-tree/onscripter-20060724-insani/ONScripterLabel_rmenu.cpp
      2006-11-19 01:16:15.000000000 -0500
@@ -319,7 +319,7 @@
         flush( refreshMode() );

         bool nofile_flag;
-        char *buffer = new char[ strlen( save_item_name ) + 30 + 1 ];
+        char *buffer = new char[ strlen( save_item_name ) + 256 ];

         for ( unsigned int i=1 ; i<=num_save_file ; i++ ){
             searchSaveFile( save_file_info, i );
@@ -401,7 +401,7 @@
         flush( refreshMode() );

         bool nofile_flag;
-        char *buffer = new char[ strlen( save_item_name ) + 30 + 1 ];
+        char *buffer = new char[ strlen( save_item_name ) + 256 ];

         for ( unsigned int i=1 ; i<=num_save_file ; i++ ){
             SaveFileInfo save_file_info;




-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.21-2-k7 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to