From 3a9e53a629e0c69d38e51734dc98328afe73f4d4 Mon Sep 17 00:00:00 2001
From: nhmall <nhmall@nethack.org>
Date: Tue, 6 Feb 2024 13:12:04 -0500
Subject: [PATCH] issue #1205 - crash using the curses interface

curses_yn_function() was returning a value that wasn't in the
subset of legal return values. This fixes that.

The unexpected return value of 32 (or space) then brought to
light an indexing error in the core that's been there a while,
apparently since at least 3.2.0, and that caused a null pointer
dereference in a strlen() call, which is what actually caused
the crash in issue #1205. This fixes that too.

Close #1205
---
 src/invent.c          | 2 +-
 win/curses/cursdial.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/invent.c b/src/invent.c
index a2e99233e..2282cfdbf 100644
--- a/src/invent.c
+++ b/src/invent.c
@@ -5232,7 +5232,7 @@ let_to_name(char let, boolean unpaid, boolean showsym)
     else if ((pos = strchr(oth_symbols, let)) != 0)
         class_name = oth_names[pos - oth_symbols];
     else
-        class_name = names[0];
+        class_name = names[ILLOBJ_CLASS];
 
     len = Strlen(class_name) + (unpaid ? sizeof "unpaid_" : sizeof "")
           + (oclass ? (Strlen(ocsymfmt) + invbuf_sympadding) : 0);
diff --git a/win/curses/cursdial.c b/win/curses/cursdial.c
index a2c52d57e..e0f25aa12 100644
--- a/win/curses/cursdial.c
+++ b/win/curses/cursdial.c
@@ -323,7 +323,8 @@ curses_character_input_dialog(
             }
             break;
         } else if ((answer == '\n') || (answer == '\r') || (answer == ' ')) {
-            if ((choices != NULL) && (def != '\0')) {
+            if ((choices != NULL)
+                && ((def != '\0') || !strchr(choices, answer))) {
                 answer = def;
             }
             break;