CVE needed? / gnuchess 6.2.4 fixed user input buffer overflow

[Sebastian Pipping <sebastian () pipping org>]

Hi there!


gnuchess 6.2.4 fixed a stack buffer overflow related to user move input,
i.e. 160 characters input can crash unpatched gnuchess 6.2.3.

I am unsure if this can be used to execute arbitrary code and if it
needs a CVE or not: gnuchess itself does not seem to accept input from a
file so it may need some other application in front (e.g. a website
using gnuchess for a backend or some mobile/desktop application
forwarding evil input to gnuchess with improper validation) to attack.

The patch in 6.2.4 is this, content from s goes into mvstr later:


# diff -u4 gnuchess-6.2.3/src/frontend/move.cc
gnuchess-6.2.4/src/frontend/move.cc
--- gnuchess-6.2.3/src/frontend/move.cc        2015-01-01
23:57:25.000000000 +0100
+++ gnuchess-6.2.4/src/frontend/move.cc        2016-09-20
01:12:35.000000000 +0200
@@ -541,8 +541,13 @@
    char mvstr[MAXSTR], *p;
    BitBoard b, b2;
    leaf *n1, *n2;

+   /* User input could be longer than MAXSTR */
+   if ( strlen(s) >= MAXSTR ) {
+      s[MAXSTR-1] = '\0';
+   }
+
    TreePtr[2] = TreePtr[1];
    GenMoves (1);
    FilterIllegalMoves (1);
    side = board.side;


Thanks and best



Sebastian