#1908 closed defect (fixed)
BASE: buffer overflow causes crash from env-var HOME
| Reported by: | SF/toreanderson | Owned by: | fingolfin |
|---|---|---|---|
| Priority: | low | Component: | Port: Linux |
| Version: | Keywords: | ||
| Cc: | Game: |
Description
This is from Ulf Härnhammar in <http://bugs.debian.org/292263/>. I guess ScummVM is never installed as a setuid binary? It isn't on Debian anyway, so priority set as low.
....
Hello,
if I start scummvm with a long value for the environment variable HOME, the program crashes.
metaur@metaur:~$ HOME=`perl -e 'print "U" x 1030;'` /usr/games/scummvm WARNING: Unable to open configuration file: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU/.scummvmr c! Segmentation fault metaur@metaur:~$
Ticket imported from: #1109687. Ticket imported from: bugs/1908.
Change History (16)
comment:1 by , 20 years ago
| Priority: | normal → low |
|---|
comment:2 by , 20 years ago
comment:3 by , 20 years ago
| Owner: | set to |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
comment:4 by , 20 years ago
As a note, you'd have to be crazy to install scummvm setuid. I couldn't count the number of places a exploited savegame could break out :)
comment:5 by , 20 years ago
I hope you don't believe I seriously doubted the correctness of installing ScummVM non-setuid on a unix/linux-lookalike such as Debian! :-)
Was thinking more of these funny architectures I have no idea how works, such as iPac, Dreamcast, Microsoft, Morphos, and so on.
Thanks for fixing it so rapidly!
Tore
comment:6 by , 19 years ago
| Status: | closed → new |
|---|
comment:7 by , 19 years ago
Hi,
It seems to me this bug is still present in 0.8.0. At least I can reproduce it using the method suggested by the submitter. Hence, I'm reopening this bug.
Tore
comment:8 by , 19 years ago
Indeed, only main.cpp was fixed, but not config-manager.cpp. I fixed that one, too. Furthermore, SCUMMVM_SAVEPATH is also read from env. While an overflow there should be harmless, I still added a check there, too... Will be included in the next release.
comment:9 by , 19 years ago
| Owner: | changed from to |
|---|
comment:10 by , 19 years ago
| Status: | new → closed |
|---|
comment:11 by , 19 years ago
I can still make scummvm segfault this way, even with a checkout from svn made today. The limit seem to be 512 characters, FVIW; anything higher than that causes scummvm to segfault.
comment:13 by , 19 years ago
| Status: | closed → new |
|---|---|
| Summary: | buffer overflow causes crash from env-var HOME → BASE: buffer overflow causes crash from env-var HOME |
comment:14 by , 19 years ago
| Status: | new → closed |
|---|
comment:15 by , 19 years ago
The bug in fopenNoCase should be fixed now, at least I really can't reproduce the issue anymore :)
comment:16 by , 6 years ago
| Component: | → Port: Linux |
|---|
Fixed in CVS. And no, ScummVM does not require root privilidges.