[gcompris] maze: fix buffer overflow, when playing long time

From: Bruno Coudoin <bcoudoin src gnome org>
To: commits-list gnome org
Cc:
Subject: [gcompris] maze: fix buffer overflow, when playing long time
Date: Sun, 30 Sep 2012 15:00:39 +0000 (UTC)

commit 476fce1d3cfa34f076c463d1e71f3cc68e2af265
Author: Peter Albrecht <pa-dev gmx de>
Date:   Fri Sep 28 09:32:03 2012 +0200

    maze: fix buffer overflow, when playing long time
    
    ** Symptom **
    While testing my run-fast patch, I encountered the following bug: When
    you play maze activities for a long time, something in the internal
    datastructure breaks.
    1. the exit is printed at position y0, but jumps to other random
       positions y1, y2, y3, ... while playing
    2. Tux starts running through walls as there were none, while he is
       block, where no walls are
    3. Tux walks totally out of the maze (x or y position < 0)
    4. GCompris exists completely, but without error message. It just
       disappears and you are back to console.
    
    These effects start to appear, if you start GCompris, goto a maze
    activity, switch to level 20 and play this level about seven times.
    
    ** Reason **
    There is an array of fixed size, recording your "green" steps for each
    level: position[]
    The variable "ind" is used to indicate the next index in position[] to
    write to.
    This variable is increased while going through a level, but not reset at
    the beginning of a new level. So playing many levels (doing many steps),
    "ind" overflows position[]'s size of 740.
    This leads to overriding other variables in memory, like the exit's
    position, and finally crashing GCompris.
    
    ** Fix **
    The "ind" variable is now reset to 0 at every level start (not only
    at activity "load". So I could flawlessly finish level 20 20 times. ;)
    
    This bug is kind of related to commit:
      f95663f2df7df2f3de8f98932b730cf49fed5a91

 src/maze-activity/maze.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
---
diff --git a/src/maze-activity/maze.c b/src/maze-activity/maze.c
index 6cb28dd..8d29b47 100644
--- a/src/maze-activity/maze.c
+++ b/src/maze-activity/maze.c
@@ -42,7 +42,7 @@
 static int Maze[MAX_BREEDTE][MAX_HOOGTE];
 static int position[MAX_BREEDTE*MAX_HOOGTE][2];
 
-static int ind=0;
+static int ind;
 static int begin;
 static int end;
 static int breedte=10;
@@ -283,6 +283,7 @@ static void maze_next_level() {
 
   mapActive = FALSE;
 
+  ind = 0;
   gamewon = FALSE;
   initMaze();
   generateMaze((g_random_int()%breedte),(g_random_int()%hoogte));

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]