Anonymous Login
2017-11-21 15:01 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0001748OpenClonkEnginepublic2017-10-26 15:26
ReporterIsilkor 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
Product Version 
Target Versiongit masterFixed in Version 
Summary0001748: Stack buffer overrun in C4LoaderScreen::Init
DescriptionC4LoaderScreen::Init does not do length checking before strcpy'ing its argument into several statically sized stack buffers. It is possible to make the function clobber memory unrelated to these buffers by starting a scenario with a very long string in C4Scenario::Head::Loader, which has a maximum size well beyond the limits of the stack buffers.
Additional InformationThis does not currently overwrite the return address on gcc based builds, because gcc reorders variables so that a huge C4Group object resides between the overflowing buffers and the return address; the strcpy overwrites part of the C4Group instead, which appears to be harmless because the write only affects members that are not used before the function returns.
MSVC does not reorder the variables in this way, and thus triggers a fastfail because the stack canary gets corrupted.
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0005845

Clonkonaut (developer)

Detached target version. No idea how severe this bug is or if or when this will be fixed.
+Notes

-Issue History
Date Modified Username Field Change
2016-06-15 12:50 Isilkor New Issue
2016-06-15 13:10 Isilkor File Added: issue1748.ocs.zip
2017-08-05 15:58 Maikel Target Version => 8.0
2017-10-26 15:25 Clonkonaut Target Version 8.0 => git master
2017-10-26 15:26 Clonkonaut Note Added: 0005845
+Issue History