search

Arthmoor / SmaugFUSS

Fixed Up Smaug Source by the FUSS Project at SmaugMuds
https://smaugmuds.afkmods.com/
19 stars 24 forks source link

Weather buffer overflows #5

Open fiendish opened 2 years ago

fiendish commented 2 years ago

Based purely on visual inspection of the code, various places in weather.c appear to read and write past the end of the weatherMap storage.

I think https://github.com/Arthmoor/SmaugFUSS/blob/d86556c97649e9cb797cf4da3865677970b624cd/src/weather.c#L3086-L3096 should be

   if( x < 0 || x >= WEATHER_SIZE_X )
   {
      ch_printf( ch, "X value must be between 0 and %d.\r\n", WEATHER_SIZE_X-1 );
      return;
   }

   if( y < 0 || y >= WEATHER_SIZE_Y )
   {
      ch_printf( ch, "Y value must be between 0 and %d.\r\n", WEATHER_SIZE_Y-1 );
      return;
   }

and

https://github.com/Arthmoor/SmaugFUSS/blob/d86556c97649e9cb797cf4da3865677970b624cd/src/weather.c#L752-L753 should be

   x = number_range( 0, WEATHER_SIZE_X-1 );
   y = number_range( 0, WEATHER_SIZE_Y-1 );
fiendish commented 2 years ago

(I started looking because someone reported on the mushclient.com forum that AddressSanitizer reported a buffer overflow on weather.c:761)