Fix findtravelpath buffer overflow

Test case: Bigroom, full of boulders, with a single path from travel start to travel end. Boulders (and doors) are added to the travelstep[xy] arrays multiple times, and will overflow the arrays. Original patch via Acehack by Alex Smith
2015-12-21 18:18:28 +02:00
parent 9a2eb370e7
commit 4b876b1aec
1 changed files with 8 additions and 4 deletions
--- a/src/hack.c
+++ b/src/hack.c
@@ -919,6 +919,7 @@ boolean guess;
                static int ordered[] = { 0, 2, 4, 6, 1, 3, 5, 7 };
                /* no diagonal movement for grid bugs */
                int dirmax = NODIAG(u.umonnum) ? 4 : 8;
+                boolean alreadyrepeated = FALSE;

                for (dir = 0; dir < dirmax; ++dir) {
                    int nx = x + xdir[ordered[dir]];
@@ -932,10 +933,13 @@ boolean guess;
                        /* closed doors and boulders usually
                         * cause a delay, so prefer another path */
                        if (travel[x][y] > radius - 3) {
-                            travelstepx[1 - set][nn] = x;
-                            travelstepy[1 - set][nn] = y;
-                            /* don't change travel matrix! */
-                            nn++;
+                            if (!alreadyrepeated) {
+                                travelstepx[1 - set][nn] = x;
+                                travelstepy[1 - set][nn] = y;
+                                /* don't change travel matrix! */
+                                nn++;
+                                alreadyrepeated = TRUE;
+                            }
                            continue;
                        }
                    }