From 358278938afdcd07ca984d048e1ee24fcaac3c5c Mon Sep 17 00:00:00 2001
From: SHIRAKATA Kentaro <argrath@ub32.org>
Date: Tue, 12 Dec 2023 02:37:19 +0900
Subject: [PATCH] add sanity check on choose_classes_menu()

If class_list contains an illegal char for mon/obj class (even if it should not happen), it might cause out-of-bound access.
---
 src/windows.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/windows.c b/src/windows.c
index dfcf4e168..5eff48a3b 100644
--- a/src/windows.c
+++ b/src/windows.c
@@ -1664,15 +1664,24 @@ choose_classes_menu(const char *prompt,
     win = create_nhwindow(NHW_MENU);
     start_menu(win, MENU_BEHAVE_STANDARD);
     while (*class_list) {
+        int idx;
         selected = FALSE;
         switch (category) {
         case 0:
-            text = def_monsyms[def_char_to_monclass(*class_list)].explain;
+            if ((idx = def_char_to_monclass(*class_list)) == MAXMCLASSES) {
+                panic("choose_classes_menu: invalid monclass '%c'", *class_list);
+                /*NOTREACHED*/
+            }
+            text = def_monsyms[idx].explain;
             accelerator = *class_list;
             Sprintf(buf, "%s", text);
             break;
         case 1:
-            text = def_oc_syms[def_char_to_objclass(*class_list)].explain;
+            if ((idx = def_char_to_objclass(*class_list)) == MAXOCLASSES) {
+                panic("choose_classes_menu: invalid objclass '%c'", *class_list);
+                /*NOTREACHED*/
+            }
+            text = def_oc_syms[idx].explain;
             accelerator = next_accelerator;
             Sprintf(buf, "%c  %s", *class_list, text);
             break;