Bug 292032

Summary: KNetWalk 3.0.1 potential integer overflow, score cheat and division by zero crash
Product: [Applications] knetwalk Reporter: Jaak Ristioja <jaak>
Component: generalAssignee: Fela Winkelmolen <fela.kde>
Status: RESOLVED INTENTIONAL    
Severity: minor CC: aacid, kde-games-bugs
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: All   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Jaak Ristioja 2012-01-20 13:28:40 UTC
Version:           3.0.1 (using KDE 4.7.4) 
OS:                All

In MainWindow::rotationPerformed() method, m_clickCount is incremented but not checked for overflow. This makes it possible to cheat on your score. Additionally, for example, if m_clickCount reaches -3 or -2 at the moment the game is won, then in MainWindow::gameOver() method, penalty may be set to 0.0, resulting in a division by zero when calculating a value for the score variable. :)

Reproducible: Didn't try

Steps to Reproduce:
I held down the keyboard button for rotate, but it seemed to take too long to reproduce so I abandoned the effort. You're welcome to try thou...


Expected Results:  
Perhaps a "Game lost!" message would suffice when m_clickCount goes past (INT_MAX - 1).

It's very unlikely this bug will ever be triggered in real life.
Comment 1 Andrew Crouthamel 2018-11-06 15:14:30 UTC
Dear Bug Submitter,

This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond.

Thank you for helping us make KDE software even better for everyone!
Comment 2 Jaak Ristioja 2018-11-09 23:12:28 UTC
Yes, the bug still seems to be there:

https://cgit.kde.org/knetwalk.git/tree/src/mainwindow.cpp#n271

Although commit abe2f6ab1fb3c60d45cc8a2ce8d108ef2ae6cef5 changed the method name to rotationStarted() instead.
Comment 3 Albert Astals Cid 2018-11-09 23:28:03 UTC
If you did so many clicks that you got m_clickCount to wrap and then go back to -2, your score will be -2147483648 (i just faked the to make m_clickCount be -2, didn't click so many times).

-2147483648 seems an accurate very low score for clicking so many times.
Comment 4 Jaak Ristioja 2018-11-10 13:45:37 UTC
I agree, but if you continue clicking, and then it eventually wraps from negative to positive again, which might yield in positive scores.

So if the program survives the undefined behavior of the integer overflow, it is followed by ever more undefined behavior in MainWindow::gameOver(), e.g. -NaN not being in the range of representative values values for int, and a division by zero. :)

Why not just add guard to keep the overflow from happening and call it "game over: too many moves"?
Comment 5 Albert Astals Cid 2018-11-10 22:02:58 UTC
Because it's a waste of everyones time. Let's say you can click ten times per second, you need to be clicking at that rate during 7 years to make the counter wrap.
Comment 6 Jaak Ristioja 2018-11-10 23:20:37 UTC
(In reply to Albert Astals Cid from comment #5)
> Because it's a waste of everyones time. Let's say you can click ten times
> per second, you need to be clicking at that rate during 7 years to make the
> counter wrap.

Alrighty. But how about the division-by-zero in the same place if one solves an Easy (5x5) board in before the first second elapses (given one can also pause the game)? It only seems to take 20 clicks or so. :D