Insidious bug in Count() in backend.c

Discussions about the WinBoard protocol. Here you can also report bugs and request new features.

Moderators: hgm, Andres Valverde

Insidious bug in Count() in backend.c

Postby beneficii » 21 Nov 2015, 20:10

In Count() in backend.c, there is a bug that can result in an increment to an index in an array that is out-of-range. The code should be changed as follows:

From:

Code: Select all
p = board[r][f];
pCnt[p]++;


To:

Code: Select all
p = board[r][f];
if(p <= EmptySquare) pCnt[p]++;


The reason for this is that pCnt[] as called by Adjudicate(), also in backend.c, takes a static array that is declared as nr[EmptySquare+1]. Therefore, if the loop in Count() comes across a square with a higher index than EmptySquare, such as DarkSquare, then the increment is out-of-range.

In debugging with a chess variant that does uses squares with a higher index than EmptySquare (specifically, I added one called Impassable, which was DarkSquare +1 and EmptySquare + 2), the stack around the variable staleB in Adjudicate() kept getting corrupted. In extensive debugging where I kept a watch on the stack around that variable, I found that the code above, without checking that p <= EmptySquare, was the culprit. Making the change by adding the check fixed the problem.
beneficii
 
Posts: 43
Joined: 07 May 2010, 05:17

Re: Insidious bug in Count() in backend.c

Postby H.G.Muller » 25 Nov 2015, 17:43

Thank you for spotting this. This counting code is from before the introduction of dark squares, and the latter was never really tested thoroughly.
User avatar
H.G.Muller
 
Posts: 3453
Joined: 16 Nov 2005, 12:02
Location: Diemen, NL


Return to WinBoard development and bugfixing

Who is online

Users browsing this forum: No registered users and 26 guests