kyonshi/tbamud
1
0
Fork 0
mirror of https://github.com/tbamud/tbamud.git synced 2026-04-30 04:41:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix stack buffer overflow in perform_complex_alias() - add bounds checks

Browse Source 
Agent-Logs-Url: https://github.com/tbamud/tbamud/sessions/2a126e43-3602-48d0-9027-2e7c2021a94c

Co-authored-by: welcor <357770+welcor@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-04-24 10:19:27 +00:00
committed by GitHub
parent d874a966e7
commit 853806b812
1 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/interpreter.c
View File

@@ -41,7 +41,7 @@
/* local (file scope) functions */ /* local (file scope) functions */
static int perform_dupe_check(struct descriptor_data *d); static int perform_dupe_check(struct descriptor_data *d);
static struct alias_data *find_alias(struct alias_data *alias_list, char *str); static struct alias_data *find_alias(struct alias_data *alias_list, char *str);
static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a); static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a, struct char_data *ch);
static int _parse_name(char *arg, char *name); static int _parse_name(char *arg, char *name);
static bool perform_new_char_dupe_check(struct descriptor_data *d); static bool perform_new_char_dupe_check(struct descriptor_data *d);
/* sort_commands utility */ /* sort_commands utility */
@@ -668,7 +668,7 @@ ACMD(do_alias)
* commands. */ * commands. */
#define NUM_TOKENS 9 #define NUM_TOKENS 9
static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a) static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a, struct char_data *ch)
{ {
struct txt_q temp_queue; struct txt_q temp_queue;
char *tokens[NUM_TOKENS], *temp, *write_point; char *tokens[NUM_TOKENS], *temp, *write_point;
@@ -697,15 +697,25 @@ static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alia
} else if (*temp == ALIAS_VAR_CHAR) { } else if (*temp == ALIAS_VAR_CHAR) {
temp++; temp++;
if ((num = *temp - '1') < num_of_tokens && num >= 0) { if ((num = *temp - '1') < num_of_tokens && num >= 0) {
strcpy(write_point, tokens[num]); /* strcpy: OK */ if ((write_point - buf) + strlen(tokens[num]) >= MAX_RAW_INPUT_LENGTH) {
send_to_char(ch, "Alias expansion too long.\r\n");
return;
}
strcpy(write_point, tokens[num]);
write_point += strlen(tokens[num]); write_point += strlen(tokens[num]);
} else if (*temp == ALIAS_GLOB_CHAR) { } else if (*temp == ALIAS_GLOB_CHAR) {
skip_spaces(&orig); skip_spaces(&orig);
strcpy(write_point, orig); /* strcpy: OK */ if ((write_point - buf) + strlen(orig) >= MAX_RAW_INPUT_LENGTH) {
send_to_char(ch, "Alias expansion too long.\r\n");
return;
}
strcpy(write_point, orig);
write_point += strlen(orig); write_point += strlen(orig);
} else if ((*(write_point++) = *temp) == '$') /* redouble $ for act safety */ } else if (write_point - buf + 2 < MAX_RAW_INPUT_LENGTH) {
*(write_point++) = '$'; if ((*(write_point++) = *temp) == '$') /* redouble $ for act safety */
} else *(write_point++) = '$';
}
} else if (write_point - buf + 1 < MAX_RAW_INPUT_LENGTH)
*(write_point++) = *temp; *(write_point++) = *temp;
} }
@@ -755,7 +765,7 @@ int perform_alias(struct descriptor_data *d, char *orig, size_t maxlen)
strlcpy(orig, a->replacement, maxlen); strlcpy(orig, a->replacement, maxlen);
return (0); return (0);
} else { } else {
perform_complex_alias(&d->input, ptr, a); perform_complex_alias(&d->input, ptr, a, d->character);
return (1); return (1);
} }
} }