From 664b4eb643e0e1ed12d0e47859e27541421cd7f1 Mon Sep 17 00:00:00 2001
From: Alex Kompel <barbos+nethack@gmail.com>
Date: Sun, 26 Apr 2015 14:47:38 -0700
Subject: [PATCH] bubble structure contains pointer into static array. Bubble
 objects are being flat-dumped into save file and this causes segfault in
 restore() whenever data segment layout changes (e.g. global variables
 added/removed). bmask should either be stored with the objects.

---
 include/lev.h | 4 +++-
 src/mkmaze.c  | 7 ++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/include/lev.h b/include/lev.h
index e3e05ec9a..b2a99841a 100644
--- a/include/lev.h
+++ b/include/lev.h
@@ -13,6 +13,8 @@
 #define WRITE_SAVE	0x2
 #define FREE_SAVE	0x4
 
+#define MAX_BMASK	4
+
 /* operations of the various saveXXXchn & co. routines */
 #define perform_bwrite(mode)	((mode) & (COUNT_SAVE|WRITE_SAVE))
 #define release_data(mode)	((mode) & FREE_SAVE)
@@ -33,7 +35,7 @@ struct container {
 struct bubble {
 	xchar x, y;	/* coordinates of the upper left corner */
 	schar dx, dy;	/* the general direction of the bubble's movement */
-	uchar *bm;	/* pointer to the bubble bit mask */
+	uchar bm[MAX_BMASK+2];	/* bubble bit mask */
 	struct bubble *prev, *next; /* need to traverse the list up and down */
 	struct container *cons;
 };
diff --git a/src/mkmaze.c b/src/mkmaze.c
index 42851c0df..5b793b32d 100644
--- a/src/mkmaze.c
+++ b/src/mkmaze.c
@@ -1267,6 +1267,9 @@ register int x, y, n;
 		impossible("n too large (mk_bubble)");
 		n = SIZE(bmask) - 1;
 	}
+	if (bmask[n][1] > MAX_BMASK) {
+		panic("bmask size is larger than MAX_BMASK");
+	}
 	b = (struct bubble *)alloc(sizeof(struct bubble));
 	if ((x + (int) bmask[n][0] - 1) > bxmax) x = bxmax - bmask[n][0] + 1;
 	if ((y + (int) bmask[n][1] - 1) > bymax) y = bymax - bmask[n][1] + 1;
@@ -1274,7 +1277,9 @@ register int x, y, n;
 	b->y = y;
 	b->dx = 1 - rn2(3);
 	b->dy = 1 - rn2(3);
-	b->bm = bmask[n];
+	/* y dimension is the length of bitmap data - see bmask above */
+	(void)memcpy((genericptr_t)b->bm, (genericptr_t)bmask[n], 
+		     (bmask[n][1]+2)*sizeof(b->bm[0]));
 	b->cons = 0;
 	if (!bbubbles) bbubbles = b;
 	if (ebubbles) {