From 0a2f18be14fc5caf4064ce2accccdb29ef1754d4 Mon Sep 17 00:00:00 2001
From: David Rhodus <drhodus@dragonflybsd.org>
Date: Tue, 26 Aug 2003 23:52:50 +0000
Subject: [PATCH] The game rogue(6) has a potential buffer overflow allowing
 the attacker to gain gid games.

In addition, it includes a spelling fix.
---
 games/rogue/inventory.c |  9 ++++-----
 games/rogue/message.c   |  4 ++--
 games/rogue/move.c      |  3 +--
 games/rogue/object.c    |  3 +--
 games/rogue/pack.c      |  4 ++--
 games/rogue/rogue.h     | 15 ++++++++++++---
 games/rogue/save.c      | 34 ++++++++++++++++++++++------------
 games/rogue/score.c     |  3 +--
 games/rogue/use.c       |  3 +--
 9 files changed, 46 insertions(+), 32 deletions(-)

diff --git a/games/rogue/inventory.c b/games/rogue/inventory.c
index e8368fc2f4..dc559e783a 100644
--- a/games/rogue/inventory.c
+++ b/games/rogue/inventory.c
@@ -35,7 +35,7 @@
  *
  * @(#)inventory.c	8.1 (Berkeley) 5/31/93
  * $FreeBSD: src/games/rogue/inventory.c,v 1.4 1999/11/30 03:49:23 billf Exp $
- * $DragonFly: src/games/rogue/inventory.c,v 1.2 2003/06/17 04:25:24 dillon Exp $
+ * $DragonFly: src/games/rogue/inventory.c,v 1.3 2003/08/26 23:52:50 drhodus Exp $
  */
 
 /*
@@ -411,14 +411,13 @@ int ch;
 mix_colors()
 {
 	short i, j, k;
-	char *t;
+	char *t[MAX_ID_TITLE_LEN];
 
 	for (i = 0; i <= 32; i++) {
 		j = get_rand(0, (POTIONS - 1));
 		k = get_rand(0, (POTIONS - 1));
-		t = id_potions[j].title;
-		id_potions[j].title = id_potions[k].title;
-		id_potions[k].title = t;
+		memcpy(t, id_potions[j].title, MAX_ID_TITLE_LEN);
+		memcpy(id_potions[j].title, id_potions[k].title, MAX_ID_TITLE_LEN);
 	}
 }
 
diff --git a/games/rogue/message.c b/games/rogue/message.c
index 8fef82efa6..58bb9eea79 100644
--- a/games/rogue/message.c
+++ b/games/rogue/message.c
@@ -35,7 +35,7 @@
  *
  * @(#)message.c	8.1 (Berkeley) 5/31/93
  * $FreeBSD: src/games/rogue/message.c,v 1.7.2.1 2000/07/20 10:35:07 kris Exp $
- * $DragonFly: src/games/rogue/message.c,v 1.2 2003/06/17 04:25:24 dillon Exp $
+ * $DragonFly: src/games/rogue/message.c,v 1.3 2003/08/26 23:52:50 drhodus Exp $
  */
 
 /*
@@ -56,7 +56,7 @@
 char msgs[NMESSAGES][DCOLS] = {"", "", "", "", ""};
 short msg_col = 0, imsg = -1;
 boolean msg_cleared = 1, rmsg = 0;
-char hunger_str[8] = "";
+char hunger_str[HUNGER_STR_LEN] = "";
 const char *more = "-more-";
 
 extern boolean cant_int, did_int, interrupted, save_is_interactive, flush;
diff --git a/games/rogue/move.c b/games/rogue/move.c
index d42401b4bd..224142b269 100644
--- a/games/rogue/move.c
+++ b/games/rogue/move.c
@@ -35,7 +35,7 @@
  *
  * @(#)move.c	8.1 (Berkeley) 5/31/93
  * $FreeBSD: src/games/rogue/move.c,v 1.7 1999/11/30 03:49:24 billf Exp $
- * $DragonFly: src/games/rogue/move.c,v 1.2 2003/06/17 04:25:25 dillon Exp $
+ * $DragonFly: src/games/rogue/move.c,v 1.3 2003/08/26 23:52:50 drhodus Exp $
  */
 
 /*
@@ -60,7 +60,6 @@ extern short cur_room, halluc, blind, levitate;
 extern short cur_level, max_level;
 extern short bear_trap, haste_self, confused;
 extern short e_rings, regeneration, auto_search;
-extern char hunger_str[];
 extern boolean being_held, interrupted, r_teleport, passgo;
 
 one_move_rogue(dirch, pickup)
diff --git a/games/rogue/object.c b/games/rogue/object.c
index 894c32716b..8d5f81d164 100644
--- a/games/rogue/object.c
+++ b/games/rogue/object.c
@@ -35,7 +35,7 @@
  *
  * @(#)object.c	8.1 (Berkeley) 5/31/93
  * $FreeBSD: src/games/rogue/object.c,v 1.5 1999/11/30 03:49:25 billf Exp $
- * $DragonFly: src/games/rogue/object.c,v 1.2 2003/06/17 04:25:25 dillon Exp $
+ * $DragonFly: src/games/rogue/object.c,v 1.3 2003/08/26 23:52:50 drhodus Exp $
  */
 
 /*
@@ -155,7 +155,6 @@ struct id id_rings[RINGS] = {
 
 extern short cur_level, max_level;
 extern short party_room;
-extern char *error_file;
 extern boolean is_wood[];
 
 put_objects()
diff --git a/games/rogue/pack.c b/games/rogue/pack.c
index 46184d36bd..e20e1d20b3 100644
--- a/games/rogue/pack.c
+++ b/games/rogue/pack.c
@@ -35,7 +35,7 @@
  *
  * @(#)pack.c	8.1 (Berkeley) 5/31/93
  * $FreeBSD: src/games/rogue/pack.c,v 1.8 1999/11/30 03:49:25 billf Exp $
- * $DragonFly: src/games/rogue/pack.c,v 1.2 2003/06/17 04:25:25 dillon Exp $
+ * $DragonFly: src/games/rogue/pack.c,v 1.3 2003/08/26 23:52:50 drhodus Exp $
  */
 
 /*
@@ -338,7 +338,7 @@ wear()
 	char desc[DCOLS];
 
 	if (rogue.armor) {
-		message("your already wearing some", 0);
+		message("you're already wearing some", 0);
 		return;
 	}
 	ch = pack_letter("wear what?", ARMOR);
diff --git a/games/rogue/rogue.h b/games/rogue/rogue.h
index 834f937389..5d66c0b9e4 100644
--- a/games/rogue/rogue.h
+++ b/games/rogue/rogue.h
@@ -35,7 +35,7 @@
  *
  *	@(#)rogue.h	8.1 (Berkeley) 5/31/93
  * $FreeBSD: src/games/rogue/rogue.h,v 1.3.2.1 2001/12/17 12:43:23 phantom Exp $
- * $DragonFly: src/games/rogue/rogue.h,v 1.2 2003/06/17 04:25:25 dillon Exp $
+ * $DragonFly: src/games/rogue/rogue.h,v 1.3 2003/08/26 23:52:50 drhodus Exp $
  */
 
 #include <curses.h>
@@ -195,9 +195,13 @@
 
 #define MAX_OPT_LEN 40
 
+#define HUNGER_STR_LEN 8
+
+#define MAX_ID_TITLE_LEN 64
+
 struct id {
 	short value;
-	char *title;
+	char title[MAX_ID_TITLE_LEN];
 	char *real;
 	unsigned short id_status;
 };
@@ -472,4 +476,9 @@ struct rogue_time {
 	short minute;	/* 0 - 59 */
 	short second;	/* 0 - 59 */
 };
-
+/*
+ * external variable declarations.
+ */
+extern  char    hunger_str[HUNGER_STR_LEN];
+extern  char    login_name[MAX_OPT_LEN];
+extern  const char   *error_file;
diff --git a/games/rogue/save.c b/games/rogue/save.c
index 3abcd51db6..19b166fb42 100644
--- a/games/rogue/save.c
+++ b/games/rogue/save.c
@@ -35,7 +35,7 @@
  *
  * @(#)save.c	8.1 (Berkeley) 5/31/93
  * $FreeBSD: src/games/rogue/save.c,v 1.6 1999/11/30 03:49:27 billf Exp $
- * $DragonFly: src/games/rogue/save.c,v 1.2 2003/06/17 04:25:25 dillon Exp $
+ * $DragonFly: src/games/rogue/save.c,v 1.3 2003/08/26 23:52:50 drhodus Exp $
  */
 
 /*
@@ -59,8 +59,6 @@ static char save_name[80];
 
 extern boolean detect_monster;
 extern short cur_level, max_level;
-extern char hunger_str[];
-extern char login_name[];
 extern short party_room;
 extern short foods;
 extern boolean is_wood[];
@@ -98,15 +96,24 @@ const char *sfile;
 {
 	FILE *fp;
 	int file_id;
-	char name_buffer[80];
+	char *name_buffer;
+	size_t len;
 	char *hptr;
 	struct rogue_time rt_buf;
 
 	if (sfile[0] == '~') {
 		if (hptr = md_getenv("HOME")) {
-			(void) strcpy(name_buffer, hptr);
-			(void) strcat(name_buffer, sfile+1);
-			sfile = name_buffer;
+			len = strlen(hptr) + strlen(sfile);
+			name_buffer = md_malloc(len);
+			if (name_buffer == NULL) {
+				message("out of memory for save file name", 0);
+				sfile = error_file;
+			} else {
+				(void) strcpy(name_buffer, hptr);
+				(void) strcat(name_buffer, sfile+1);
+				sfile = name_buffer;
+			}
+
 		}
 	}
 	/* revoke */
@@ -195,10 +202,10 @@ const char *fname;
 	r_read(fp, (char *) &detect_monster, sizeof(detect_monster));
 	r_read(fp, (char *) &cur_level, sizeof(cur_level));
 	r_read(fp, (char *) &max_level, sizeof(max_level));
-	read_string(hunger_str, fp);
+	read_string(hunger_str, fp, sizeof hunger_str);
 
-	(void) strcpy(tbuf, login_name);
-	read_string(login_name, fp);
+	(void) strlcpy(tbuf, login_name, sizeof tbuf);
+	read_string(login_name, fp, sizeof login_name);
 	if (strcmp(tbuf, login_name)) {
 		clean_up("you're not the original player");
 	}
@@ -341,7 +348,7 @@ boolean wr;
 			r_read(fp, (char *) &(id_table[i].value), sizeof(short));
 			r_read(fp, (char *) &(id_table[i].id_status),
 				sizeof(unsigned short));
-			read_string(id_table[i].title, fp);
+			read_string(id_table[i].title, fp, MAX_ID_TITLE_LEN);
 		}
 	}
 }
@@ -358,13 +365,16 @@ FILE *fp;
 	r_write(fp, s, n);
 }
 
-read_string(s, fp)
+read_string(s, fp, len)
 char *s;
 FILE *fp;
+size_t len;
 {
 	short n;
 
 	r_read(fp, (char *) &n, sizeof(short));
+	if (n > len)
+		clean_up("read_string: corrupt game file");
 	r_read(fp, s, n);
 	xxxx(s, n);
 }
diff --git a/games/rogue/score.c b/games/rogue/score.c
index 4674986ca5..06c693f02e 100644
--- a/games/rogue/score.c
+++ b/games/rogue/score.c
@@ -35,7 +35,7 @@
  *
  * @(#)score.c	8.1 (Berkeley) 5/31/93
  * $FreeBSD: src/games/rogue/score.c,v 1.4 1999/11/30 03:49:27 billf Exp $
- * $DragonFly: src/games/rogue/score.c,v 1.2 2003/06/17 04:25:25 dillon Exp $
+ * $DragonFly: src/games/rogue/score.c,v 1.3 2003/08/26 23:52:50 drhodus Exp $
  */
 
 /*
@@ -54,7 +54,6 @@
 #include "rogue.h"
 #include "pathnames.h"
 
-extern char login_name[];
 extern char *m_names[];
 extern short max_level;
 extern boolean score_only, no_skull, msg_cleared;
diff --git a/games/rogue/use.c b/games/rogue/use.c
index a5c2cd8504..45c61e91cb 100644
--- a/games/rogue/use.c
+++ b/games/rogue/use.c
@@ -35,7 +35,7 @@
  *
  * @(#)use.c	8.1 (Berkeley) 5/31/93
  * $FreeBSD: src/games/rogue/use.c,v 1.4 1999/11/30 03:49:29 billf Exp $
- * $DragonFly: src/games/rogue/use.c,v 1.2 2003/06/17 04:25:25 dillon Exp $
+ * $DragonFly: src/games/rogue/use.c,v 1.3 2003/08/26 23:52:50 drhodus Exp $
  */
 
 /*
@@ -64,7 +64,6 @@ boolean con_mon = 0;
 const char *strange_feeling = "you have a strange feeling for a moment, then it passes";
 
 extern short bear_trap;
-extern char hunger_str[];
 extern short cur_room;
 extern long level_points[];
 extern boolean being_held;
-- 
2.35.2