From 91e5667aae786e39a33ea9d47a27b8e3e0f32a38 Mon Sep 17 00:00:00 2001 From: Gerfried Fuchs Date: Wed, 14 Jul 2010 21:42:17 +0200 Subject: [PATCH] Imported Upstream version 0.52 --- README | 8 +++++++- VERSION | 2 +- inet.c | 3 +++ robot_desc | 6 +++--- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README b/README index 9420e20..0a5f522 100644 --- a/README +++ b/README @@ -51,6 +51,12 @@ how it goes, and send me diffs if needed! See the FAQ in this directory if you have any problems. +FIXED IN VERSION 0.52 +===================== +Fixed a buffer overflow vulnerability discovered by +Artur Byszko / bajkero + + NEW IN VERSION 0.5 ================== Netris now specifically looks for ncurses and uses color if it's @@ -88,7 +94,7 @@ the game. Unlike standard T*tris, Netris gives you a little extra time after dropping a piece before it solidifies. This allows you to slide the piece into a notch without waiting for it to fall the whole way down. -In fact, if you can even slide it off a cliff and it'll start falling +In fact, you can even slide it off a cliff and it'll start falling again. If you think it should automatically drop again in this case, use the -D option. diff --git a/VERSION b/VERSION index 2eb3c4f..3ccbc51 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.5 +0.52 diff --git a/inet.c b/inet.c index dbfe748..a8d9a9d 100644 --- a/inet.c +++ b/inet.c @@ -151,6 +151,9 @@ static MyEventType NetGenFunc(EventGenRec *gen, MyEvent *event) memcpy(data, netBuf, sizeof(data)); type = ntoh2(data[0]); size = ntoh2(data[1]); + if (size >= sizeof(netBuf)) + fatal("Received an invalid packet (too large), possibly an attempt\n" + " to exploit a vulnerability in versions before 0.52 !"); netBufGoal = size; if (netBufSize < netBufGoal) return E_none; diff --git a/robot_desc b/robot_desc index 53415b2..3c9baca 100644 --- a/robot_desc +++ b/robot_desc @@ -84,7 +84,7 @@ view of the board is incorrect until the "TimeStamp". is an integer from 0 to boardHeight-1. 0 is the bottom row. ... are integers separated by spaces, one for each column. -"0" indicates an empty square. Positive integers indicates blocks. +"0" indicates an empty square. Positive integers indicate blocks. Currently only "1" is used, but in the future there may be special kinds of blocks indicated by higher numbers. Negative integers indicate part of the currently falling piece. For each block, the absolute value of the @@ -151,8 +151,8 @@ long to fit on the screen may be truncated. EXAMPLE ======= Here's a portion of an example log generated by the sample robot. The -sample robot generates a log file in "log" if the "-l" is given to sr -(eg "netris -r 'sr -l'"). +sample robot generates a log file in "log" if the "-l" option is given +to sr (eg "netris -r 'sr -l'"). In this log file, every line is preceeded by two characters. Lines sent from Netris to the robot are preceeded by two spaces " ", and -- 2.39.2