OpenClonk Bugtracker - OpenClonk
View Issue Details
0001748OpenClonkEnginepublic2016-06-15 10:502018-01-29 10:39
ReporterIsilkor 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Versiongit masterFixed in Version8.0 
Summary0001748: Stack buffer overrun in C4LoaderScreen::Init
DescriptionC4LoaderScreen::Init does not do length checking before strcpy'ing its argument into several statically sized stack buffers. It is possible to make the function clobber memory unrelated to these buffers by starting a scenario with a very long string in C4Scenario::Head::Loader, which has a maximum size well beyond the limits of the stack buffers.
Additional InformationThis does not currently overwrite the return address on gcc based builds, because gcc reorders variables so that a huge C4Group object resides between the overflowing buffers and the return address; the strcpy overwrites part of the C4Group instead, which appears to be harmless because the write only affects members that are not used before the function returns.
MSVC does not reorder the variables in this way, and thus triggers a fastfail because the stack canary gets corrupted.
TagsNo tags attached.
Attached Fileszip issue1748.ocs.zip (624) 2016-06-15 11:10
https://bugs.openclonk.org/file_download.php?file_id=626&type=bug

Notes
(0005845)
Clonkonaut   
2017-10-26 13:26   
Detached target version. No idea how severe this bug is or if or when this will be fixed.
(0006101)
occ   
2018-01-28 11:54   
Hi! There's been a check-in that references this bug. For more information you can visit the repository browser at this address:
https://git.openclonk.org/openclonk.git/commitdiff/384472f183bbe44578143aa3f409777c9e474064

Changeset 384472f by Kanibal <frustrum@pictor.uberspace.de>
Modernize loader loading code (0001748)


Issue History
2016-06-15 10:50IsilkorNew Issue
2016-06-15 11:10IsilkorFile Added: issue1748.ocs.zip
2017-08-05 13:58MaikelTarget Version => 8.0
2017-10-26 13:25ClonkonautTarget Version8.0 => git master
2017-10-26 13:26ClonkonautNote Added: 0005845
2018-01-28 11:54occNote Added: 0006101
2018-01-29 10:39CaesarStatusnew => resolved
2018-01-29 10:39CaesarResolutionopen => fixed
2018-01-29 10:39CaesarFixed in Version => 8.0