Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-2]: src/games/tetris Pull up following revision(s) (requested by ...

details:   https://anonhg.NetBSD.org/src/rev/ede0a62d8c16
branches:  netbsd-2
changeset: 564490:ede0a62d8c16
user:      tron <tron%NetBSD.org@localhost>
date:      Thu Jun 08 22:27:57 2006 +0000

description:
Pull up following revision(s) (requested by dan in ticket #10641):
        games/tetris/scores.c: revision 1.14
Better check data read from tetris.scores before use as array indices etc.
This is CVE-2006-1539, files against Gentoo Linux, the patch is from
Gentoo.
A standard NetBSD installation is not as much risk because tetris is
sgid "games", and users shouldn't be in that group.

diffstat:

 games/tetris/scores.c |  21 ++++++++++++---------
 1 files changed, 12 insertions(+), 9 deletions(-)

diffs (49 lines):

diff -r 1a556cd0d169 -r ede0a62d8c16 games/tetris/scores.c
--- a/games/tetris/scores.c     Sun Jun 04 22:27:55 2006 +0000
+++ b/games/tetris/scores.c     Thu Jun 08 22:27:57 2006 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: scores.c,v 1.13 2004/01/27 20:30:30 jsm Exp $  */
+/*     $NetBSD: scores.c,v 1.13.4.1 2006/06/08 22:27:57 tron Exp $     */
 
 /*-
  * Copyright (c) 1992, 1993
@@ -334,7 +334,8 @@
                                continue;
                        }
                }
-               levelfound[sp->hs_level] = 1;
+        if (sp->hs_level < NLEVELS && sp->hs_level >= 0)
+               levelfound[sp->hs_level] = 1;
                i++, sp++;
        }
        return (num > MAXHISCORES ? MAXHISCORES : num);
@@ -373,12 +374,14 @@
        for (i = MINLEVEL; i < NLEVELS; i++)
                levelfound[i] = 0;
        for (i = 0, sp = scores; i < nscores; i++, sp++) {
-               if (levelfound[sp->hs_level])
-                       sp->hs_time = 0;
-               else {
-                       sp->hs_time = 1;
-                       levelfound[sp->hs_level] = 1;
-               }
+        if (sp->hs_level < NLEVELS && sp->hs_level >= 0) {
+               if (levelfound[sp->hs_level])
+                       sp->hs_time = 0;
+                   else {
+                           sp->hs_time = 1;
+                       levelfound[sp->hs_level] = 1;
+                   }
+        }
        }
 
        /*
@@ -432,7 +435,7 @@
                                continue;
                        }
                        sp = &hs[item];
-                       (void)sprintf(buf,
+                       (void)snprintf(buf, sizeof(buf),
                            "%3d%c %6d  %-11s (%6d on %d)",
                            item + offset, sp->hs_time ? '*' : ' ',
                            sp->hs_score * sp->hs_level,
Home | Main Index | Thread Index | Old Index