A gnuchess 5.04 bug

[Solitude]

Hi!

I'm writing because I've hit upon a bug that causes gnuchess 5.04 to
segfault. I encounter the problem when I run gnuchess interactively and I
enter the commands 'test movegenspeed' or 'test capturespeed'.

I have found that the problem is two statements in the TestCmd function in
cmd.c, lines 786, 788.

When single-stepping in gdb, I used 'bt' to print out a backtrace of the
stack. (I had discovered that the program crashed because the stack had
been corrupted.) When on line 786, the stack was fine, after the sscanf at
788, the reference to main had been obliterated. This causes the segfault
to occur on the function's return.  I realized this is because line 786
allocates 10 bytes for its string, while "movegenspeed\0" and
"capturespeed\0" are both longer than 10 bytes, so this causes the 'cmd'
variable to not be null terminated.

I fixed the problem on my system by editing line 786 and changing cmd[10]
to become cmd[65], because I see that line 160 reads in 64 bytes. I'm not
sure my solution is correct, because the sscanf format string might make
the string larger, I haven't really looked at it that closely.

I have also noticed this exact same code appears in BookCmd() and
ShowCmd(). I discovered I can also trigger a buffer overflow with
"show 01234567890".

My system information: Netbsd 1.5.3 on an i386. I am running gnuchess 5.04
built from the ftp.gnu.org tarball, not from my os vendor's pkg system.
I initially used the build command "CFLAGS=-O3 ./configure && make" and
then did it again with CFLAGS=-g.

Thanks for providing this excellent program!!

- John

"That which is best does not lie in quantity
 but in quality.  Mass in anything cheapens it.
 What is extraordinary is scant and rare;
 some judge a book by its thickness as though it were
 meant to exercise the arms instead of the mind."
        - Vallasar Graczn

NO SOLICITING!

my-gnuchess-5.04-patch
Description: Text document