From 28a742f1ef86e353f4eed6ec0841d483b29a5794 Mon Sep 17 00:00:00 2001 From: H.G.Muller Date: Sat, 26 Nov 2016 12:33:54 +0100 Subject: [PATCH] Fix storage of values of engine string options Originally all option definitions given in option features were stored in a static array of generous size (MSG_SIZ). But this was changed to allocated memory for not wasting space on unused option slots. The allocated memory wasonly large enough to hold the default value of the option, which could very well be an empty string. Changing the option setting to a longer strig would then produce memory corruption through buffer overrun. Now the memory allocated for option features is again at least MSG_SIZ. --- backend.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/backend.c b/backend.c index 196b8a0..c18fa3e 100644 --- a/backend.c +++ b/backend.c @@ -17176,8 +17176,10 @@ StringFeature (char **p, char *name, char **loc, ChessProgramState *cps) if (strncmp((*p), name, len) == 0 && (*p)[len] == '=' && (*p)[len+1] == '\"') { (*p) += len + 2; - ASSIGN(*loc, *p); // kludge alert: assign rest of line just to be sure allocation is large enough so that sscanf below always fits - sscanf(*p, "%[^\"]", *loc); + len = strlen(*p) + 1; if(len < MSG_SIZ && !strcmp(name, "option")) len = MSG_SIZ; // make sure string options have enough space to change their value + FREE(*loc); *loc = malloc(len); + strncpy(*loc, *p, len); + sscanf(*p, "%[^\"]", *loc); // should always fit, because we allocated at least strlen(*p) while (**p && **p != '\"') (*p)++; if (**p == '\"') (*p)++; snprintf(buf, MSG_SIZ, "accepted %s\n", name); -- 1.7.0.4