OpenClonk Bugtracker - OpenClonk
View Issue Details
0001748OpenClonkEnginepublic2016-06-15 10:502018-01-29 10:39
Assigned To 
PlatformOSOS Version
Product Version 
Target Versiongit masterFixed in Version8.0 
Summary0001748: Stack buffer overrun in C4LoaderScreen::Init
DescriptionC4LoaderScreen::Init does not do length checking before strcpy'ing its argument into several statically sized stack buffers. It is possible to make the function clobber memory unrelated to these buffers by starting a scenario with a very long string in C4Scenario::Head::Loader, which has a maximum size well beyond the limits of the stack buffers.
Additional InformationThis does not currently overwrite the return address on gcc based builds, because gcc reorders variables so that a huge C4Group object resides between the overflowing buffers and the return address; the strcpy overwrites part of the C4Group instead, which appears to be harmless because the write only affects members that are not used before the function returns.
MSVC does not reorder the variables in this way, and thus triggers a fastfail because the stack canary gets corrupted.
TagsNo tags attached.
Attached Fileszip (624) 2016-06-15 11:10

2017-10-26 13:26   
Detached target version. No idea how severe this bug is or if or when this will be fixed.
2018-01-28 11:54   
Hi! There's been a check-in that references this bug. For more information you can visit the repository browser at this address:

Changeset 384472f by Kanibal <>
Modernize loader loading code (0001748)

Issue History
2016-06-15 10:50IsilkorNew Issue
2016-06-15 11:10IsilkorFile Added:
2017-08-05 13:58MaikelTarget Version => 8.0
2017-10-26 13:25ClonkonautTarget Version8.0 => git master
2017-10-26 13:26ClonkonautNote Added: 0005845
2018-01-28 11:54occNote Added: 0006101
2018-01-29 10:39CaesarStatusnew => resolved
2018-01-29 10:39CaesarResolutionopen => fixed
2018-01-29 10:39CaesarFixed in Version => 8.0