Re: [CODE] VisionMUD class_spells_index buffer overflows

From: Torgny Bjers (tb@sbbs.se)
Date: 08/08/00


-----Original Message-----
From: Peter Ajamian <peter@pajamian.dhs.org>
To: CIRCLE@POST.QUEENSU.CA <CIRCLE@POST.QUEENSU.CA>
Date: tisdag, 8 augusti 2000 01:44
Subject: Re: [CIRCLE] [CODE] VisionMUD class_spells_index buffer overflows


<snip>
>> it
>> overflows or something and doesn't print anything else into the string,
can
>> any one help me out here?
>>
>Well, I'll look through and tell you what I can see...
>>
>> ---------------------------SNIP---------------------------------
>> void class_spells_index(int chclass, char *str)
>                                       ^^^^^^^^^
>
>You're using a passed buffer to hold the output of ths function.  The
>problem could easily be outside of the function and have to do with the
>way the buffer is declared/allocated.
>

<snip>
>Hrmmm, the use of buf1 in this function could (possibly) be the problem
>if buf1 is already in use by the calling function.  As a rule I only use
>the global buffers in ACMDs and a few other places where I'm sure I
>won't be stepping on nother functions usage of them or vice-versa.  To
>find out if this is the problem and fix it in the same step simply
>declare buf1 as a local which will isolate it from other functions as
>follows...
>
>char buf1[MAX_STRING_LENGTH];
>


<snip>

I tried to declare buf1 as a local like you suggested (I had even tried that
yesterday I think but didn't think it was that), but it still overflows the
string somehow, when I debug it prints out the top rows (the header and
the ---- line) and starts on level 1, prints out about three items, and then
it goes down one line to print out the other spells/skills, and it truncates
it after like 3-10 chars and then it refuses to add anything further to the
string (built in security check I presume).

I have also tried to do the sprintf's like you described, sprintf(str +
strlen(str), "", bla); which I also felt was a better way to do it since I
had some first hand experience with the other way when I meddled with the
do_score some months ago, but I am glad you pointed out that it was the
correct way!

So, in the code, it is obviously somewhere around the for loop... I would
without any programming knowledge guess that it is sprintf(str +
strlen(str), "%s%-22s", buf1, spells[spellnum]); that does it, when it adds
buf1 to str it messes up somehow...

Here is the code again, with modifications:

----------------snip---------------------------------------
void class_spells_index(int chclass, char *str)
{
  char buf1[MAX_STRING_LENGTH];
  int i, spellnum, num;
  int n_spells, n_skills;
  *str = '\0';
  sprinttype(chclass, pc_class_types, buf1);
  sprintf(str,"Spells and Skills available for %s.\r\n", buf1);
  strcat(str,
"---------------------------------------------------------------------------
--\r\n");
  strcat(str, "Level          Spell/Skill   Name\r\n");

  n_spells = 0;
  n_skills = 0;
  for (i = 1; i <= MAX_MORT_LEVEL; i++) {
    sprintf(str + strlen(str), "%2d   ", i);
    num = 0;
    for (spellnum = 1; spellnum < TOP_SPELLS; spellnum++) {
      if (SINFO.min_level[chclass] == i) {
        if (num >= 3) strcat(str, "\r\n     ");
        if (spellnum >= 1 && spellnum <= MAX_SPELLS) {
          strcpy(buf1, "");
          n_spells++;
        } else if (spellnum > MAX_SPELLS  && spellnum <
START_NON_PLAYER_SPELLS) {
          strcpy(buf1, "");
          n_skills++;
        } else
          strcpy(buf1, "");
        sprintf(str + strlen(str), "%s%-22s", buf1, spells[spellnum]);
        num++;
      }
    }
    strcat(str,"\r\n");

  }
  strcat(str, "\r\n");
  sprintf(str + strlen(str), "Spells: %d, Skills: %d, Total:%d\r\n",
    n_spells, n_skills, n_spells+n_skills);
  return;
}
----------------snip---------------------------------------

I removed the color codes in the strcpy(buf1, ""); things, because I didn't
know what else to do with them, I mean, I don't want color in it, I just
want it to print out a simple list of skills and spells, that's all...
Maybe this should be done a different way, but it doesn't matter for the
buffer overflow at least, I gone and checked that already...

Please help me out here...  I am trying my best to try to grasp the string
handling here, but I am a novice, so it is harder for me to point at the
error and say "There it is!" ...

Kind Regards,
Torgny Bjers


     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     |  http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html  |
     +------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 04/11/01 PDT