From 475bba1329094bb261b1017251900883c31b0f5c Mon Sep 17 00:00:00 2001 From: H.G. Muller Date: Fri, 30 Aug 2013 17:33:59 +0200 Subject: [PATCH] Fix buffer overflow in parser When a line ended with a comment, the parser had to read a line ahead to check if there was a PGNresult following, without being able to throw away the previous line yet. This could lead to buffer overflow in a long game where every line ended in a comment. The buffer now is cleansed of already parsed data when starting on a new syntactical unit. --- parser.c | 4 ++++ winboard/config.h | 2 +- 2 files changed, 5 insertions(+), 1 deletions(-) diff --git a/parser.c b/parser.c index 6da13d4..8b1dc3f 100644 --- a/parser.c +++ b/parser.c @@ -174,6 +174,10 @@ NextUnit (char **p) if(fromString) return 0; // we are parsing string, so the end is really the end *p = inPtr = inputBuf; if(!ReadLine()) return 0; // EOF + } else if(inPtr > inputBuf + PARSEBUFSIZE/2) { // buffer fills up with already parsed stuff + char *q = *p, *r = inputBuf; + while(*r++ = *q++); + *p = inputBuf; inPtr = r - 1; } parseStart = oldp = *p; // remember where we begin diff --git a/winboard/config.h b/winboard/config.h index 7b64b56..bd928ca 100644 --- a/winboard/config.h +++ b/winboard/config.h @@ -55,7 +55,7 @@ #define PACKAGE_VERSION "4.7.2" /* Define the Windows-specific FILE version info. this *MUST* be four comma separated 16-bit integers */ -#define PACKAGE_FILEVERSION 4,7,2013,0828 +#define PACKAGE_FILEVERSION 4,7,2013,828 #define PTY_ITERATION -- 1.7.0.4