On 8/30/07, Ying-Chun Liu (PaulLiu) <[EMAIL PROTECTED]> wrote: > Dear Bryan, > > Can you provide the information about what game makes the program crash? > Probably with your save file if you don't mind :)
The game is the english patch of higurashi kai ( http://hinamizawaclub.com ). The crash was intermittent - maybe half of the time I opened a save or load dialog with some save files extant a crash would occur. I don't have a save at the moment (I've been patching my copy of onscripter locally) but I'll see if I can get a crash and core dump with the version in sid. > > Or how can we make a script from scratch to crash the program? > I'd like to reproduce this bug by myself because I'm not very sure this > is a bug. > > Yes, as you mentioned, each numeric characters (double-width > 0123456789) in Shift-JIS is two bytes long. But when compiling > with ENABLE_1BYTE_CHAR and FORCE_1BYTE_CHAR, the data stored in > save_file_info.* are pure ASCII numeric characters (single-width > 0123456789). > > Thus, even each field of save_file_info.* is 5 bytes long, only 3 of > them is used when using ENABLE_1BYTE_CHAR and FORCE_1BYTE_CHAR. (two > digits and NUL terminator) That should be enough: 21 bytes (MESSAGE_SAVE_EXIST minus format strings and NUL) + 2 * 5 + 1 (the NUL) = 32, which is larger than the allocated buffer. Moreover, if a malicious savefile uses more than two bytes in each field, you'll have a possibly-exploitable buffer overflow for sure. In any case, using hardcoded constants seems dangerous, especially when they're calculated so close to the absolute minimum. RAM's cheap, throw a few hundred bytes at it to make the problem go away for sure :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
