From 8a1d0746862eaad184a54949e80a799f7f13dbcc Mon Sep 17 00:00:00 2001 From: "nethack.rankin" Date: Tue, 5 Jun 2007 02:45:09 +0000 Subject: [PATCH] #adjust bounds bug Noticed while looking at something else: doorganize() goes out of array bounds for alphabet[] when inventory contains something in the '#' slot, or in the '$' slot for GOLDOBJ config. Both # and $ pass the (let <= 'Z') test, then produce a negative result for (let - 'A' + 26). In my case, it was harmlessly clobbering the tail end of buf[] but it could potentially be a lot worse. --- src/invent.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/invent.c b/src/invent.c index 0d1475a28..2eb120f26 100644 --- a/src/invent.c +++ b/src/invent.c @@ -1,4 +1,4 @@ -/* SCCS Id: @(#)invent.c 3.5 2007/01/02 */ +/* SCCS Id: @(#)invent.c 3.5 2007/06/04 */ /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */ /* NetHack may be freely redistributed. See license for details. */ @@ -2937,11 +2937,13 @@ doorganize() /* inventory organizer by Del Lamb */ /* blank out all the letters currently in use in the inventory */ /* except those that will be merged with the selected object */ for (otmp = invent; otmp; otmp = otmp->nobj) - if (otmp != obj && !mergable(otmp,obj)) { - if (otmp->invlet <= 'Z') - alphabet[(otmp->invlet) - 'A' + 26] = ' '; - else alphabet[(otmp->invlet) - 'a'] = ' '; - } + if (otmp != obj && !mergable(otmp, obj)) { + let = otmp->invlet; + if (let >= 'a' && let <= 'z') + alphabet[let - 'a'] = ' '; + else if (let >= 'A' && let <= 'Z') + alphabet[let - 'A' + 26] = ' '; + } /* compact the list by removing all the blanks */ for (ix = cur = 0; alphabet[ix]; ix++)