github PR #1259 - counts in curses menus

Pull request from mkuoppal: curses menu handling could go out of bounds accessing array groupaccels[] if strange input gave a false positive for STDC's isdigit(). Discovered by debug fuzzer. Failure was triggering an error by the undefined behavior sanitizer. [randomkey() ought to return int rather than char.] Closes #1259
2024-06-22 23:40:27 -07:00
parent 54138bbbe3 238d501cce
commit 0604b3ea22
1 changed files with 2 additions and 1 deletions
--- a/win/curses/cursdial.c
+++ b/win/curses/cursdial.c
@@ -1555,7 +1555,8 @@ menu_get_selections(WINDOW *win, nhmenu *menu, int how)
            }
            /*FALLTHRU*/
        default:
-            if (isdigit(curletter) && !selectors[curletter]
+            if (curletter > 0 && curletter < 256
+                && isdigit(curletter) && !selectors[curletter]
                && !groupaccels[curletter]) {
                count = curses_get_count(curletter);
                /* after count, we know some non-digit is already pending */