Re: Suspicious code

From: Thomas Arp (t_arp@stofanet.dk)
Date: 04/24/03

Next message: Thomas Arp: "small change to fread_string()"
Previous message: Thomas Arp: "Re: [NEWBIE] Cygwin ./configure error..."
Maybe in reply to: Templar Viper: "Suspicious code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've changed a couple of things below.

> I've made a function that I suspect for corrupting memory:

And yes, you were overrunning t below.
> void poll_boot(void)
> {
>   FILE *fl;
>   char line[READ_SIZE];
>   int nr;
>
>   if (!(fl = fopen(POLL_FILE, "r"))) {
>     mudlog(BRF, LVL_IMPL, TRUE, "SYSERR: Failed to open %s.", POLL_FILE);
>     return;
>   }
>
>   for (;;) {
-     if (!get_line(fl, line))
-    return;
-
-     if (*line == '$')
-       return;
+    if (!get_line(fl, line) || *line == '$') {
+      fclose(fl);
+      return;
+    }
>     if (*line == '#') {
>       if (sscanf(line, "#%d", &nr) != 1) {
>      log("SYSERR: Format error in %s.", POLL_FILE);
+      fclose(fl);
>      return;
>    }
>
>    if (!polls_index)
>   CREATE(polls_index, struct polls_data, polls_top + 1);
>    else
>   RECREATE(polls_index, struct polls_data, polls_top + 1);
>
>    parse_poll(fl, nr);
>    fclose(fl);
>
>    log("   Poll #%d loaded.", nr);
>  }
>   }
> }
>
> void parse_poll(FILE *fl, int virtual_nr)
> {
-    int t[5];
+    int t[6];
>   char line[256], buf2[MAX_STRING_LENGTH];
+    snprintf(buf2, sizeof(buf2), "Poll #%d", virtual_nr);
>   poll_nr++;
>   polls_top++;
>   polls_index[poll_nr].number = virtual_nr;
>   polls_index[poll_nr].name= fread_string(fl, buf2);
>   polls_index[poll_nr].desc = fread_string(fl, buf2);
>   polls_index[poll_nr].first_choice = fread_string(fl, buf2);
>   polls_index[poll_nr].second_choice = fread_string(fl, buf2);
>   polls_index[poll_nr].third_choice = fread_string(fl, buf2);
>   polls_index[poll_nr].fourth_choice = fread_string(fl, buf2);
>   polls_index[poll_nr].fifth_choice = fread_string(fl, buf2);
>
>   if (!get_line(fl,line) || sscanf(line, "%d %d %d %d %d %d", t, t + 1, t
> + 2, t + 3, t + 4, t + 5) != 6) {
>     fprintf(stderr, "Format error in poll #%d\n", virtual_nr);
>     exit(1);
>   }
>   polls_index[poll_nr].percents[0] = t[0];
>   polls_index[poll_nr].percents[1] = t[1];
>   polls_index[poll_nr].percents[2] = t[2];
>   polls_index[poll_nr].percents[3] = t[3];
>   polls_index[poll_nr].percents[4] = t[4];
>   polls_index[poll_nr].status    = t[5];
> }
>
> However, not being the greatest coder out there, I cannot see what is
> wrong with it. I would be gratefull if anyone of you would point me on the
> mistakes I have probably made :)

"int t[5];" means "declare an array of 5 elements, starting at 0, of type
int." In other words, t+5 and t[5] are overrunning the array.

Welcor

--
   +---------------------------------------------------------------+
   | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
   | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html |
   | Newbie List:  http://groups.yahoo.com/group/circle-newbies/   |
   +---------------------------------------------------------------+

Next message: Thomas Arp: "small change to fread_string()"
Previous message: Thomas Arp: "Re: [NEWBIE] Cygwin ./configure error..."
Maybe in reply to: Templar Viper: "Suspicious code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : 06/26/03 PDT