From 60dc14952ded6b823caab30fe00c284332fda862 Mon Sep 17 00:00:00 2001 From: nhmall Date: Sat, 14 Sep 2024 12:54:34 -0400 Subject: [PATCH] overflow if 'word' arg points to full QBUFSZ buf This prevents a buffer overflow that was encountered during fuzzing, but the underlying issue in the caller dodip() is still pending. That appears to be the result of 'obuf' not being filled with appropriate content prior to being used at line 2343 in potion.c. --- src/invent.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/invent.c b/src/invent.c index fcf1f5bc8..19495f641 100644 --- a/src/invent.c +++ b/src/invent.c @@ -1930,7 +1930,8 @@ getobj( menuquery[0] = qbuf[0] = '\0'; if (iflags.force_invmenu) - Sprintf(menuquery, "What do you want to %s?", word); + Snprintf(menuquery, sizeof menuquery, + "What do you want to %s?", word); if (!allowed_choices || *allowed_choices == HANDS_SYM || *buf == HANDS_SYM) handsbuf = getobj_hands_txt(word, qbuf);