Login
User Name:

Password:



Register
Forgot your password?
Vote for Us!
Bug in disarm( )
Nov 12, 2017, 6:54 pm
By GatewaySysop
Bug in will_fall( )
Oct 23, 2017, 1:35 am
By GatewaySysop
Bug in do_zap( ), do_brandish( )
Oct 18, 2017, 1:52 pm
By GatewaySysop
Bug in get_exp_worth( )
Oct 10, 2017, 1:26 am
By GatewaySysop
Bug in do_drag( )
Oct 8, 2017, 12:40 am
By GatewaySysop
LOP Heroes Edition
Author: Vladaar
Submitted by: Vladaar
Heroes sound extras
Author: Vladaar
Submitted by: Vladaar
6Dragons 4.3
Author: Vladaar
Submitted by: Vladaar
Memwatch
Author: Johan Lindh
Submitted by: Vladaar
Beastmaster 6D sound files
Author: Vladaar
Submitted by: Vladaar
Users Online
CommonCrawl, Google, DotBot

Members: 0
Guests: 20
Stats
Files
Topics
Posts
Members
Newest Member
476
3,704
19,231
608
LAntorcha
Today's Birthdays
There are no member birthdays today.
Related Links
» SmaugMuds.org » Bugfix Lists » SmaugFUSS Bugfix List » [Bug] EXT_BV comparisons can ...
Forum Rules | Mark all | Recent Posts

[Bug] EXT_BV comparisons can overflow the final bit slot
< Newer Topic :: Older Topic >

Pages:<< prev 1 next >>
Post is unread #1 Oct 14, 2007, 11:38 am
Go to the top of the page
Go to the bottom of the page

Samson
Black Hand
GroupAdministrators
Posts3,639
JoinedJan 1, 2002

Bug: EXT_BV comparisons can overflow the final bit slot
Danger: Low - Potential crash, only if all 128 bits in a set are filled.
Found by: Halcyon, Nick Gammon
Fixed by: Halcyon, Samson

---

act_wiz.c, do_setclass()

Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg2 );
         value = get_aflag( arg2 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg2 );
         else
            xTOGGLE_BIT( Class->affected, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg2 );
         value = get_aflag( arg2 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg2 );
         else
            xTOGGLE_BIT( Class->affected, value );
      }


Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( race->affected, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( race->affected, value );
      }


Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_defenseflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( race->defenses, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_defenseflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( race->defenses, value );
      }


Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_attackflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( race->attacks, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_attackflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( race->attacks, value );
      }


build.c, do_mset()

Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( victim->affected_by, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( victim->affected_by, value );
      }


Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_attackflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( victim->attacks, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_attackflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( victim->attacks, value );
      }


Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_defenseflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( victim->defenses, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_defenseflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
            xTOGGLE_BIT( victim->defenses, value );
      }


build.c, do_oset()

Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_oflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
         {
            if( value == ITEM_PROTOTYPE


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_oflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\n\r", arg3 );
         else
         {
            if( value == ITEM_PROTOTYPE


db.c, fread_fuss_room()

Locate:
               while( roomflags[0] != '\0' )
               {
                  roomflags = one_argument( roomflags, flag );
                  value = get_rflag( flag );
                  if( value < 0 || value > MAX_BITS )
                     bug( "Unknown roomflag: %s", flag );
                  else
                     xSET_BIT( pRoomIndex->room_flags, value );
               }


Change to:
               while( roomflags[0] != '\0' )
               {
                  roomflags = one_argument( roomflags, flag );
                  value = get_rflag( flag );
                  if( value < 0 || value >= MAX_BITS )
                     bug( "Unknown roomflag: %s", flag );
                  else
                     xSET_BIT( pRoomIndex->room_flags, value );
               }


db.c, fread_fuss_object()

Locate:
               while( eflags[0] != '\0' )
               {
                  eflags = one_argument( eflags, flag );
                  value = get_oflag( flag );
                  if( value < 0 || value > MAX_BITS )
                     bug( "Unknown object extraflag: %s", flag );
                  else
                     xSET_BIT( pObjIndex->extra_flags, value );
               }


Change to:
               while( eflags[0] != '\0' )
               {
                  eflags = one_argument( eflags, flag );
                  value = get_oflag( flag );
                  if( value < 0 || value >= MAX_BITS )
                     bug( "Unknown object extraflag: %s", flag );
                  else
                     xSET_BIT( pObjIndex->extra_flags, value );
               }


db.c, fread_fuss_mobile()

Locate:
            if( !str_cmp( word, "Actflags" ) )
            {
               char *actflags = NULL;

               actflags = fread_flagstring( fp );

               while( actflags[0] != '\0' )
               {
                  actflags = one_argument( actflags, flag );
                  value = get_actflag( flag );
                  if( value < 0 || value > MAX_BITS )
                     bug( "Unknown actflag: %s", flag );
                  else
                     xSET_BIT( pMobIndex->act, value );
               }
               break;
            }

            if( !str_cmp( word, "Affected" ) )
            {
               char *affectflags = NULL;

               affectflags = fread_flagstring( fp );

               while( affectflags[0] != '\0' )
               {
                  affectflags = one_argument( affectflags, flag );
                  value = get_aflag( flag );
                  if( value < 0 || value > MAX_BITS )
                     bug( "Unknown affectflag: %s", flag );
                  else
                     xSET_BIT( pMobIndex->affected_by, value );
               }
               break;
            }

            if( !str_cmp( word, "Attacks" ) )
            {
               char *attacks = fread_flagstring( fp );

               while( attacks[0] != '\0' )
               {
                  attacks = one_argument( attacks, flag );
                  value = get_attackflag( flag );
                  if( value < 0 || value > MAX_BITS )
                     bug( "Unknown attackflag: %s", flag );
                  else
                     xSET_BIT( pMobIndex->attacks, value );
               }
               break;
            }


Change to:
            if( !str_cmp( word, "Actflags" ) )
            {
               char *actflags = NULL;

               actflags = fread_flagstring( fp );

               while( actflags[0] != '\0' )
               {
                  actflags = one_argument( actflags, flag );
                  value = get_actflag( flag );
                  if( value < 0 || value >= MAX_BITS )
                     bug( "Unknown actflag: %s", flag );
                  else
                     xSET_BIT( pMobIndex->act, value );
               }
               break;
            }

            if( !str_cmp( word, "Affected" ) )
            {
               char *affectflags = NULL;

               affectflags = fread_flagstring( fp );

               while( affectflags[0] != '\0' )
               {
                  affectflags = one_argument( affectflags, flag );
                  value = get_aflag( flag );
                  if( value < 0 || value >= MAX_BITS )
                     bug( "Unknown affectflag: %s", flag );
                  else
                     xSET_BIT( pMobIndex->affected_by, value );
               }
               break;
            }

            if( !str_cmp( word, "Attacks" ) )
            {
               char *attacks = fread_flagstring( fp );

               while( attacks[0] != '\0' )
               {
                  attacks = one_argument( attacks, flag );
                  value = get_attackflag( flag );
                  if( value < 0 || value >= MAX_BITS )
                     bug( "Unknown attackflag: %s", flag );
                  else
                     xSET_BIT( pMobIndex->attacks, value );
               }
               break;
            }


Locate:
               while( defenses[0] != '\0' )
               {
                  defenses = one_argument( defenses, flag );
                  value = get_defenseflag( flag );
                  if( value < 0 || value >= MAX_BITS )
                     bug( "Unknown defenseflag: %s", flag );
                  else
                     xSET_BIT( pMobIndex->defenses, value );
               }


deity.c, do_setdeity()

Locate:
            value = get_aflag( arg3 );
            if( value < 0 || value > MAX_BITS )
               ch_printf( ch, "Unknown flag: %s\r\n", arg3 );
            else
            {
               xTOGGLE_BIT( deity->affected, value );
               fMatch = TRUE;
            }


Change to:
            value = get_aflag( arg3 );
            if( value < 0 || value >= MAX_BITS )
               ch_printf( ch, "Unknown flag: %s\r\n", arg3 );
            else
            {
               xTOGGLE_BIT( deity->affected, value );
               fMatch = TRUE;
            }


mpxset.c, do_mpmset()

Locate:
         value = get_actflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            progbug( "MpMset: Invalid flag", ch );


Change to:
         value = get_actflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            progbug( "MpMset: Invalid flag", ch );


Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            progbug( "MpMset: Invalid affected", ch );
         else
            xTOGGLE_BIT( victim->affected_by, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            progbug( "MpMset: Invalid affected", ch );
         else
            xTOGGLE_BIT( victim->affected_by, value );
      }


Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_defenseflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            progbug( "MpMset: Invalid defense", ch );
         else
            xTOGGLE_BIT( victim->defenses, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_defenseflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            progbug( "MpMset: Invalid defense", ch );
         else
            xTOGGLE_BIT( victim->defenses, value );
      }


mpxset.c, do_mposet()

Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_oflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            progbug( "MpOset: Invalid flag", ch );
         else
         {
            if( value == ITEM_PROTOTYPE )
               progbug( "MpOset: can't set prototype flag", ch );
            else
               xTOGGLE_BIT( obj->extra_flags, value );
         }
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_oflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            progbug( "MpOset: Invalid flag", ch );
         else
         {
            if( value == ITEM_PROTOTYPE )
               progbug( "MpOset: can't set prototype flag", ch );
            else
               xTOGGLE_BIT( obj->extra_flags, value );
         }
      }


mud_prog.c, mprog_do_ifcheck()

Locate:
      if( !str_cmp( chck, "isaffected" ) )
      {
         int value = get_aflag( rval );

         if( value < 0 || value > MAX_BITS )
         {
            progbug( "Unknown affect being checked", mob );
            return BERR;
         }
         return IS_AFFECTED( chkchar, value ) ? TRUE : FALSE;
      }


Change to:
      if( !str_cmp( chck, "isaffected" ) )
      {
         int value = get_aflag( rval );

         if( value < 0 || value >= MAX_BITS )
         {
            progbug( "Unknown affect being checked", mob );
            return BERR;
         }
         return IS_AFFECTED( chkchar, value ) ? TRUE : FALSE;
      }


polymorph.c, do_morphset()

Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\r\n", arg3 );
         else
            xTOGGLE_BIT( morph->affected_by, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\r\n", arg3 );
         else
            xTOGGLE_BIT( morph->affected_by, value );
      }


Locate:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value > MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\r\n", arg3 );
         else
            xTOGGLE_BIT( morph->affected_by, value );
      }


Change to:
      while( argument[0] != '\0' )
      {
         argument = one_argument( argument, arg3 );
         value = get_aflag( arg3 );
         if( value < 0 || value >= MAX_BITS )
            ch_printf( ch, "Unknown flag: %s\r\n", arg3 );
         else
            xTOGGLE_BIT( morph->affected_by, value );
      }


Halcyon said:


The nature of XBV's is that for each integer within the extended bitvector structure, you get 32 bits. Stock, XBI is 4, so you get a total of 128 bits... But, your final usable bit is 127. Why? Because 0 is a bit as well.

MAX_BITS is INTBITS (32) * XBI (4), which is 128... But if your last usable bit is 127, why are virtually ALL of the calls to check against MAX_BITS in the code checking if value > MAX_BITS? It SHOULD be checking if value >= MAX_BITS. If you take a look at the functions used to manipulate XBV's, it reflects that, with statements like:

for( x = 0; x < MAX_BITS; x++ )


So how did the rest of the entire codebase get to checking improperly? Obviously, most MUDs aren't going to fill all 128 bitvector slots, but even so, it should at least be right for posterity.
       
Pages:<< prev 1 next >>