Hi,
There is a buffer overflow vulnerability in simutrans in symsis.cc:
https://github.com/simutrans/simutrans/blob/348382a31a6f4a481133af307b8af4ee0f3b8197/src/simutrans/sys/simsys.cc#L601
The program blindly trusts environment variables given by the user.
It can be triggered when exceeding `buffer` size set on line 570 of simsys.cc:
static char buffer[PATH_MAX + 24];
I had to use a way higher number than PATH_MAX + 25 to trigger a segfault but you get the idea:
Commit version: 348382a31a6f4a481133af307b8af4ee0f3b8197
root@debian:/home/user/simutrans# HOME=$(python3 -c "print('A'*9500)") gdb ./build/simutrans/simutrans
...
Reading symbols from ./build/simutrans/simutrans...
(gdb) run
dr_fatal_notify: ERROR: Absolutely no base installation found.
Please download/install the complete base set!
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79d8e4a in __GI___libc_free (mem=0x4141414141414141) at ./malloc/malloc.c:3362
3362 ./malloc/malloc.c: No such file or directory.
I am attaching a patch for it.
Regards,
Ok, added some checks. Although I am pretty sure a lot of other programs and scripts will not like such a home variable.
I think that if you want to crash simutrans, the network code is the way better place to look for overruns.