Fix unbound memory read (bug #23606)

This was introduced in commit 8e5eb9a8d4edf8da33dd19540495b6aa60b28375, probably because it's not clear enough in our implementation of MD5 that the result of MD5::raw_digest() (and util::md5() by proxy) is not a null-terminated string. I've added a comment to util::md5() to clarify this in case it comes up again, but what we really should do is replace the MD5 implementation with something a bit more C++-ish. Fixed the issue by having the caller request the text representation of the MD5 digest instead.
2025-05-05 16:45:42 +00:00 · 2015-06-02 19:17:41 -03:00 · 2015-06-02 19:17:41 -03:00 · 7b92923555
commit 7b92923555
parent aab8c00039
4 changed files with 11 additions and 2 deletions
--- a/2
+++ b/2
@ -51,6 +51,8 @@ Version 1.13.0+dev:
   * Updated mainline campaigns and multiplayer scenarios to use [filter] status=
     instead of [filter] [filter_wml] [status]
   * Fixed a segfault in [move_units_fake]
+   * Fixed unbound memory read in the MP map selection screen that could lead
+     to a segmentation fault or other abnormal behavior (bug #23606).

 Version 1.13.0:
 * Security fixes:
--- a/src/game_initialization/create_engine.cpp
+++ b/src/game_initialization/create_engine.cpp
@ -148,7 +148,7 @@ surface scenario::create_image_surface(const SDL_Rect& image_rect)
 		return minimap_img_;
 	}

-	std::basic_string<unsigned char> current_hash = util::md5(map_->write());
+	std::string current_hash = util::encode_hash(util::md5(map_->write()));

 	if (minimap_img_.null() || (map_hash_ != current_hash)) { // If there's no minimap image, or the map hash doesn't match, regenerate the image cache.
 		minimap_img_ = image::getMinimap(image_rect.w, image_rect.h, *map_, 0);
--- a/src/game_initialization/create_engine.hpp
+++ b/src/game_initialization/create_engine.hpp
@ -89,7 +89,7 @@ protected:
 	boost::scoped_ptr<gamemap> map_;

 	surface minimap_img_;
-	std::basic_string<unsigned char> map_hash_;
+	std::string map_hash_;

 private:
 	scenario(const scenario&);
--- a/src/hash.hpp
+++ b/src/hash.hpp
@ -19,6 +19,13 @@

 namespace util {

+/**
+ * Returns the MD5 digest for the specified input.
+ *
+ * @note The returned value points to a fixed-size 16 bytes array representing
+ *       the raw MD5 value, not a null-terminated string. Use encode_hash if
+ *       you need the text representation instead.
+ */
 unsigned char* md5(const std::string& input);
 int get_iteration_count(const std::string& hash);
 std::string get_salt(const std::string& hash);