Bug#969228: glaurung: Segmentation fault caused by out of bounds access

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#969228: glaurung: Segmentation fault caused by out of bounds access
From: Asher Gordon <AsDaGo@posteo.net>
Date: Sat, 29 Aug 2020 13:32:04 -0400
Message-id: <[🔎] 87d0399x4b.fsf@posteo.net>
Reply-to: Asher Gordon <AsDaGo@posteo.net>, 969228@bugs.debian.org

Package: glaurung
Version: 2.2-3
Severity: grave
Tags: patch
X-Debbugs-Cc: Asher Gordon <AsDaGo@posteo.net>

Dear Maintainer,

Glaurung segfaults when the 'go' command is used, making it
unusable. For example:

    $ glaurung
    Glaurung 2.2.  Copyright (C) 2004-2008 Tord Romstad.
    go
    Segmentation fault

This is because of an out of bounds access, fixed by the following
patch:

From 62017d29d816d07513805500d498d8779343e074 Mon Sep 17 00:00:00 2001
From: Asher Gordon <AsDaGo@posteo.net>
Date: Sat, 29 Aug 2020 12:53:56 -0400
Subject: [PATCH 1/3] Fix buffer overrun, causing a segfault

---
 src/evaluate.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/evaluate.cpp b/src/evaluate.cpp
index 72032f0..ac303fa 100644
--- a/src/evaluate.cpp
+++ b/src/evaluate.cpp
@@ -1243,7 +1243,7 @@ namespace {
         SafetyTable[i] = Value((int)(100 * a * (i - b)));
     }
 
-    for(i = 0; i < 100; i++)
+    for(i = 0; i < 99; i++)
       if(SafetyTable[i+1] - SafetyTable[i] > maxSlope) {
         for(j = i + 1; j < 100; j++)
           SafetyTable[j] = SafetyTable[j-1] + Value(maxSlope);
-- 
2.28.0

I also attempted to send this patch upstream, but I don't know Tord's
current email address (it's not tord@glaurungchess.com; I tried). So I
sent it to Matthew Purland, since he had made the last commit on
https://github.com/phenri/glaurung.

So hopefully, he will be able to apply it upstream, but until then,
please apply this patch in Debian.

Thanks,
Asher

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.7.0-2-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages glaurung depends on:
ii  libc6       2.31-3
ii  libstdc++6  10.1.0-6

Versions of packages glaurung recommends:
ii  polyglot  2.0.4-2+b1
ii  xboard    4.9.1-2

glaurung suggests no packages.

-- no debconf information

-- 
One picture is worth 128K words.
                               --------
I prefer to send and receive mail encrypted. Please send me your
public key, and if you do not have my public key, please let me
know. Thanks.

GPG fingerprint: 38F3 975C D173 4037 B397  8095 D4C9 C4FC 5460 8E68

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#758850: marked as done (slib: slib broken with guile in jessie)
Next by Date: Bug#966189: marked as done (cuneiform: FTBFS with GCC 10: multiple definition of ... due to -fno-common)
Previous by thread: Bug#758850: marked as done (slib: slib broken with guile in jessie)
Next by thread: Bug#966189: marked as done (cuneiform: FTBFS with GCC 10: multiple definition of ... due to -fno-common)
Index(es):
- Date
- Thread