[Freeciv-Dev] [PATCH] Potential buffer overflow in city_name_suggestion() + tweaks. (PR#490)

[Big Gaute <gs234@xxxxxxxxx>]

While going through city_name_suggestion() in server/cityhand.c, I
noticed that the temporary buffer used to construct new city names has
size 100, rather than MAX_NAME_LEN (32).  Under certain circumstances
(if "city %d" is translated as a long string) this may lead to a
buffer overflow.  It is also more robust to use MAX_NAME_LEN in case
this value is increased in the future.

While at it I couldn't resist the temptation to tweak things a little
bit, so I moved things around a bit so that n_misc is only ever
calculated when and if it is needed.  I also raised the limit on names
of the "city %d" type from 1000 to 60000 (is there any good reason why
not?) and changed "city %d" to "City no. %d".  I also changed the
default value which is returned when everything else fails from "" to
_("A poorly-named city").  Finally, I replaced '...' with a blurb to
explain what the function does.

While going through the source to see what else would be affected by
this, I noticed that get_a_name() in server/settlers.c is completely
bogus.  It merely calls city_name_suggestion() and then duplicates
some of the sanity checking.  And it uses a 80b buffer...I removed it
and replaced its sole invocation with one of city_name_suggestion().

This patch comes in the form of two separate files since 1) using diff
to generate only one file seems to require two copies of the source
tree, which is too much trouble for me (BTW, does anyone know how to
do this by hand?) and 2) the patches are logically distinct and could
be applied separately, if need be.

The patches are against CVS from 3 August.

city_names_cityhand.diff
Description: diff against CVS 3 August.

city_names_settlers.diff
Description: diff against CVS 3 August.

-- 
Big Gaute (not to be confused with LG)
I guess you guys got BIG MUSCLES from doing too much STUDYING!