From 4e2494c8595fce30de9a028a6ac0e21197c30972 Mon Sep 17 00:00:00 2001 From: PatR Date: Mon, 30 Sep 2024 12:41:29 -0700 Subject: [PATCH] fix hunger status highlighting text match Crash triggered by fuzzer. The Null value for not-hungry between "Satiated" and "Hungry" in the array of possible hunger states caused a crash if C++ regex handling was being used. With posixregex, it would pass benignly for tty but crash for curses. I didn't check any other interface. --- doc/fixes3-7-0.txt | 4 ++++ src/botl.c | 2 ++ src/windows.c | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/doc/fixes3-7-0.txt b/doc/fixes3-7-0.txt index cf97570a9..6dd35d38e 100644 --- a/doc/fixes3-7-0.txt +++ b/doc/fixes3-7-0.txt @@ -1467,6 +1467,10 @@ when a secret corridor was discovered by wand of secret door detection or by forgotten unless within range of a light source when poly'd into a giant, kicking a closed door always succeeds in breaking it reduce crystal plate mail weight +interactively setting a status highlight for hunger with 'O' and choosing + 'text match' could crash while setting up the menu of hunger status + value strings; happened for curses or if the program was built to + use C++ regex processing but not for tty+posixregex Fixes to 3.7.0-x General Problems Exposed Via git Repository diff --git a/src/botl.c b/src/botl.c index 21692d4bb..51f15f19d 100644 --- a/src/botl.c +++ b/src/botl.c @@ -2502,6 +2502,8 @@ query_arrayvalue( start_menu(tmpwin, MENU_BEHAVE_STANDARD); for (i = arrmin; i < arrmax; i++) { + if (!arr[i]) /* the array of hunger status values has a gap ...*/ + continue; /*... set to Null between Satiated and Hungry */ any = cg.zeroany; any.a_int = i + adj; add_menu(tmpwin, &nul_glyphinfo, &any, 0, 0, ATR_NONE, diff --git a/src/windows.c b/src/windows.c index de126da2a..d763f7eaf 100644 --- a/src/windows.c +++ b/src/windows.c @@ -1797,6 +1797,12 @@ add_menu( const char *str, /* menu text */ unsigned int itemflags) /* itemflags such as MENU_ITEMFLAGS_SELECTED */ { + if (!str) { + /* if 'str' is Null, just return without adding any menu entry */ + debugpline0("add_menu(Null)"); + return; + } + if (iflags.use_menu_color) { if ((itemflags & MENU_ITEMFLAGS_SKIPMENUCOLORS) == 0) (void) get_menu_coloring(str, &color, &attr);