View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0001748 | OpenClonk | Engine | public | 2016-06-15 10:50 | 2018-01-29 10:39 | ||||
Reporter | Isilkor | ||||||||
Assigned To | |||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||
Status | resolved | Resolution | fixed | ||||||
Product Version | |||||||||
Target Version | git master | Fixed in Version | 8.0 | ||||||
Summary | 0001748: Stack buffer overrun in C4LoaderScreen::Init | ||||||||
Description | C4LoaderScreen::Init does not do length checking before strcpy'ing its argument into several statically sized stack buffers. It is possible to make the function clobber memory unrelated to these buffers by starting a scenario with a very long string in C4Scenario::Head::Loader, which has a maximum size well beyond the limits of the stack buffers. | ||||||||
Additional Information | This does not currently overwrite the return address on gcc based builds, because gcc reorders variables so that a huge C4Group object resides between the overflowing buffers and the return address; the strcpy overwrites part of the C4Group instead, which appears to be harmless because the write only affects members that are not used before the function returns. MSVC does not reorder the variables in this way, and thus triggers a fastfail because the stack canary gets corrupted. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files |
|
![]() |
|
Clonkonaut (developer) 2017-10-26 13:26 |
Detached target version. No idea how severe this bug is or if or when this will be fixed. |
occ (reporter) 2018-01-28 11:54 |
Hi! There's been a check-in that references this bug. For more information you can visit the repository browser at this address: https://git.openclonk.org/openclonk.git/commitdiff/384472f183bbe44578143aa3f409777c9e474064 Changeset 384472f by Kanibal <frustrum@pictor.uberspace.de> Modernize loader loading code (0001748) |
![]() |
|||
Date Modified | Username | Field | Change |
---|---|---|---|
2016-06-15 10:50 | Isilkor | New Issue | |
2016-06-15 11:10 | Isilkor | File Added: issue1748.ocs.zip | |
2017-08-05 13:58 | Maikel | Target Version | => 8.0 |
2017-10-26 13:25 | Clonkonaut | Target Version | 8.0 => git master |
2017-10-26 13:26 | Clonkonaut | Note Added: 0005845 | |
2018-01-28 11:54 | occ | Note Added: 0006101 | |
2018-01-29 10:39 | Caesar | Status | new => resolved |
2018-01-29 10:39 | Caesar | Resolution | open => fixed |
2018-01-29 10:39 | Caesar | Fixed in Version | => 8.0 |