Anonymous Login
2018-05-23 18:32 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0001748OpenClonkEnginepublic2018-01-29 10:39
ReporterIsilkor 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
Product Version 
Target Versiongit masterFixed in Version8.0 
Summary0001748: Stack buffer overrun in C4LoaderScreen::Init
DescriptionC4LoaderScreen::Init does not do length checking before strcpy'ing its argument into several statically sized stack buffers. It is possible to make the function clobber memory unrelated to these buffers by starting a scenario with a very long string in C4Scenario::Head::Loader, which has a maximum size well beyond the limits of the stack buffers.
Additional InformationThis does not currently overwrite the return address on gcc based builds, because gcc reorders variables so that a huge C4Group object resides between the overflowing buffers and the return address; the strcpy overwrites part of the C4Group instead, which appears to be harmless because the write only affects members that are not used before the function returns.
MSVC does not reorder the variables in this way, and thus triggers a fastfail because the stack canary gets corrupted.
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes

~0005845

Clonkonaut (developer)

Detached target version. No idea how severe this bug is or if or when this will be fixed.

~0006101

occ (reporter)

Hi! There's been a check-in that references this bug. For more information you can visit the repository browser at this address:
https://git.openclonk.org/openclonk.git/commitdiff/384472f183bbe44578143aa3f409777c9e474064

Changeset 384472f by Kanibal <frustrum@pictor.uberspace.de>
Modernize loader loading code (0001748)

+Notes

-Issue History
Date Modified Username Field Change
2016-06-15 10:50 Isilkor New Issue
2016-06-15 11:10 Isilkor File Added: issue1748.ocs.zip
2017-08-05 13:58 Maikel Target Version => 8.0
2017-10-26 13:25 Clonkonaut Target Version 8.0 => git master
2017-10-26 13:26 Clonkonaut Note Added: 0005845
2018-01-28 11:54 occ Note Added: 0006101
2018-01-29 10:39 Caesar Status new => resolved
2018-01-29 10:39 Caesar Resolution open => fixed
2018-01-29 10:39 Caesar Fixed in Version => 8.0
+Issue History