Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Color crash bug #40

Closed
warmstarter opened this issue Jun 25, 2021 · 5 comments
Closed

Color crash bug #40

warmstarter opened this issue Jun 25, 2021 · 5 comments

Comments

@warmstarter
Copy link
Contributor

Found an easy way to crash TinyFugue.

This would be a pretty standard way to set colors in my status bar:

/set vw_tablist_fg_world_attrs=@{Cyellow,Cbgrgb001}

But if I just set it to a non-existent color:

/set vw_tablist_fg_world_attrs=@{Ctestyellow,Cbgrgb001}

And then change my fgworld to trigger the color change in the status bar, TF dumps core. Presumably similar would happen with any way of setting that invalid color. Looks like colors are just being passed for evaluation rather than sanity checked.

Haven't yet tested if I can get a MUSH to remotely crash TF with this bug, but seems likely.
@warmstarter
Copy link
Contributor Author

warmstarter commented Jun 25, 2021
edited
Loading

Looks like this is a bit more complex, but possibly more widespread.

Standard status_attr gives an error for a bad color.

Here are the lines that seem to be the most likely cuplrits, looking like the issue is in decode_attr(), str*(), or substr(). Need to do some investigation there.

If you want to try it, the relevant code is in my scripts directory, you'll need vwstatus.tf (most likely culprit), vworld.tf, status.tf, and socket.tf

https://github.com/warmstarter/tinyfugue-scripts

/test _ret_item := strcat(_ret_item, vw_tablist_fg_world_attrs)

       /test _dret:=decode_attr(_ret) %;\
        /test _avail_len:=vw_get_tablist_size() %;\
        /if (strlen(_dret) > _avail_len) \
                /if (vw_exists(fg_world())) \
                        /test _fg_loc:=strstr(_dret, vw_tab_name(fg_world())) %;\
                /else \
                        /test _fg_loc:=strstr(_dret, fg_world()) %;\
                /endif %;\
                /test _cutoff:=strchr(_dret, "|[", _fg_loc - _avail_len/2 > 0 ? _fg_loc - _avail_len/2 : 0) %;\
        /else \
                /test _cutoff:=0 %;\
        /endif %;\
        /return tolower(substr({_dret}, _cutoff))

@warmstarter
Copy link
Contributor Author

Here it is .....

/eval /set colorcrash=@{CbgblackCRASH}Crash!
/test colorcrash := decode_attr(colorcrash)

@warmstarter
Copy link
Contributor Author

Ok, here's a hint, this also works. Given that the @{ is unmatched, it shouldn't even be attempting anything.

/eval /set colorcrash=@{CbgblackCRASH
/test colorcrash := decode_attr(colorcrash)

@warmstarter
Copy link
Contributor Author

https://pastebin.com/JxsizRcG

@warmstarter warmstarter mentioned this issue Jun 26, 2021
Merged
@warmstarter
Copy link
Contributor Author

This is fixed in #38

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@warmstarter