From 72e1675f5ffacbb1fbfa7055102e891202d93c82 Mon Sep 17 00:00:00 2001 From: Stephen Seo Date: Mon, 3 Aug 2020 16:01:38 +0900 Subject: [PATCH] Fix memory corruption bug Increased buffer for notificationText. Previous implementation wrote to notificationText but was possible for buffer overflows when writing to it with strcpy. Also fixed by using strncpy instead of strcpy. --- src/state.cpp | 32 +++++++++++++++++++------------- src/state.hpp | 2 +- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/src/state.cpp b/src/state.cpp index c866704..211eea1 100644 --- a/src/state.cpp +++ b/src/state.cpp @@ -33,7 +33,7 @@ inputWidthHeight{800, 600} window.setFramerateLimit(60); notification_text.fill(0); - std::strcpy(notification_text.data(), "Press \"H\" for help"); + std::strncpy(notification_text.data(), "Press \"H\" for help", notification_text.max_size() - 1); pointCircle.setRadius(7.0f); pointCircle.setOrigin(7.0f, 7.0f); @@ -136,12 +136,13 @@ void Tri::State::handle_events() { flags.flip(F_COPY_COLOR_MODE); if(flags.test(F_COPY_COLOR_MODE)) { notification_text.fill(0); - std::strcpy(notification_text.data(), + std::strncpy(notification_text.data(), "Copy color mode\n" "Click to change\n" "current draw color\n" "to what was\n" - "clicked on"); + "clicked on", + notification_text.max_size() - 1); notification_alpha = 1.0f; } else { notification_alpha = 0.0f; @@ -190,7 +191,8 @@ void Tri::State::handle_events() { break; } } else if(flags.test(F_COPY_COLOR_MODE)) { - auto color = drawCache.getTexture().copyToImage().getPixel(event.mouseButton.x, event.mouseButton.y); + auto color = drawCache.getTexture().copyToImage() + .getPixel(event.mouseButton.x, event.mouseButton.y); colorPickerColor[0] = color.r / 255.0f; colorPickerColor[1] = color.g / 255.0f; colorPickerColor[2] = color.b / 255.0f; @@ -198,8 +200,9 @@ void Tri::State::handle_events() { pointCircle.setFillColor(color); flags.reset(F_COPY_COLOR_MODE); notification_text.fill(0); - std::strcpy(notification_text.data(), - "Color set"); + std::strncpy(notification_text.data(), + "Color set", + notification_text.max_size() - 1); notification_alpha = 1.0f; } } @@ -390,30 +393,33 @@ bool Tri::State::change_width_height() { if(warnings.test(0) && warnings.test(1)) { notification_alpha = 1.0f; notification_text.fill(0); - std::strcpy( + std::strncpy( notification_text.data(), - "Width set to 200\nHeight set to 150" + "Width set to 200\nHeight set to 150", + notification_text.max_size() - 1 ); } else if(warnings.test(0)) { notification_alpha = 1.0f; notification_text.fill(0); - std::strcpy( + std::strncpy( notification_text.data(), - "Width set to 200" + "Width set to 200", + notification_text.max_size() - 1 ); } else if(warnings.test(1)) { notification_alpha = 1.0f; notification_text.fill(0); - std::strcpy( + std::strncpy( notification_text.data(), - "Height set to 150" + "Height set to 150", + notification_text.max_size() - 1 ); } this->width = inputWidthHeight[0]; this->height = inputWidthHeight[1]; - window.setSize(sf::Vector2u(width, height)); + window.setSize({this->width, this->height}); sf::View newView( sf::Vector2f(width / 2.0f, height / 2.0f), sf::Vector2f(width, height)); diff --git a/src/state.hpp b/src/state.hpp index 758d7fc..67825f5 100644 --- a/src/state.hpp +++ b/src/state.hpp @@ -37,7 +37,7 @@ namespace Tri { unsigned int height; const sf::Time dt; float notification_alpha; - typedef std::array NotificationBufferType; + typedef std::array NotificationBufferType; NotificationBufferType notification_text; sf::RenderWindow window;