From d9a1bbb2030035463f740a277acfc9faa29e1eae Mon Sep 17 00:00:00 2001
From: PatR <rankin@nethack.org>
Date: Thu, 3 Oct 2019 15:45:43 -0700
Subject: [PATCH] fix #H9269 - potential panic due to window slots

A couple of early returns could result in temporary windows getting
left around instead of being released for re-use, which in turn might
lead to a panic due to lack of available window slots.  The first
one is accompanied by an 'impossible' warning which no one has ever
reported and the second one could only happen if data file 'keyhelp'
was missing, so panic due to either of these is hypothetical as far
as released versions go.  Somebody making modifications could run
afoul of either of them though.

query_category() - switch from early return to 'goto' so that the
  temporary window used for a menu will always be destroyed;
whatdoes_help() - defer creating the display window until after the
  data file has been successfully opened so that early return won't
  need any window cleanup.
---
 doc/fixes36.3 |  8 +++++++-
 src/pager.c   |  5 +++--
 src/pickup.c  | 12 ++++++++----
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/doc/fixes36.3 b/doc/fixes36.3
index 55d8d28a9..4c3bd945e 100644
--- a/doc/fixes36.3
+++ b/doc/fixes36.3
@@ -1,4 +1,4 @@
-$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.116 $ $NHDT-Date: 1569276988 2019/09/23 22:16:28 $
+$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.121 $ $NHDT-Date: 1570142734 2019/10/03 22:45:34 $
 
 This fixes36.3 file is here to capture information about updates in the 3.6.x
 lineage following the release of 3.6.2 in May 2019. Please note, however,
@@ -157,6 +157,12 @@ uarmh null pointer dereference if a helm of opposite alignment came off due
 verb tense was inappropriate in some messages when a mon/pet had a name 
 	ending in 's'
 orctown booty items should have been initialized in mksobj()
+query_category() and whatdoes_help() had early returns which could each leave
+	a temporary window around, which in turn might eventually lead to a
+	panic due to lack of window slots [probably moot for unmodified 3.6.x;
+	the query one couldn't happen unless there is a coding error for
+	object classes somewhere and the help one couldn't happen unless the
+	installed data files left 'keyhelp' missing]
 
 
 Fixes to Post-3.6.2 Problems that Were Exposed Via git Repository
diff --git a/src/pager.c b/src/pager.c
index 96abfef26..86dad4414 100644
--- a/src/pager.c
+++ b/src/pager.c
@@ -1,4 +1,4 @@
-/* NetHack 3.6	pager.c	$NHDT-Date: 1562632673 2019/07/09 00:37:53 $  $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.154 $ */
+/* NetHack 3.6	pager.c	$NHDT-Date: 1570142734 2019/10/03 22:45:34 $  $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.156 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Robert Patrick Rankin, 2018. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -1575,7 +1575,7 @@ whatdoes_help()
 {
     dlb *fp;
     char *p, buf[BUFSZ];
-    winid tmpwin = create_nhwindow(NHW_TEXT);
+    winid tmpwin;
 
     fp = dlb_fopen(KEYHELP, "r");
     if (!fp) {
@@ -1583,6 +1583,7 @@ whatdoes_help()
         display_nhwindow(WIN_MESSAGE, TRUE);
         return;
     }
+    tmpwin = create_nhwindow(NHW_TEXT);
     while (dlb_fgets(buf, (int) sizeof buf, fp)) {
         if (*buf == '#')
             continue;
diff --git a/src/pickup.c b/src/pickup.c
index ab8d5f069..16473747e 100644
--- a/src/pickup.c
+++ b/src/pickup.c
@@ -1,4 +1,4 @@
-/* NetHack 3.6	pickup.c	$NHDT-Date: 1562203851 2019/07/04 01:30:51 $  $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.229 $ */
+/* NetHack 3.6	pickup.c	$NHDT-Date: 1570142736 2019/10/03 22:45:36 $  $NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.234 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Robert Patrick Rankin, 2012. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -1063,11 +1063,13 @@ int how;               /* type of query */
         if (curr) {
             *pick_list = (menu_item *) alloc(sizeof(menu_item));
             (*pick_list)->item.a_int = curr->oclass;
-            return 1;
+            n = 1;
         } else {
             debugpline0("query_category: no single object match");
+            n = 0;
         }
-        return 0;
+        /* early return is ok; there's no temp window yet */
+        return n;
     }
 
     win = create_nhwindow(NHW_MENU);
@@ -1120,7 +1122,8 @@ int how;               /* type of query */
         pack++;
         if (invlet >= 'u') {
             impossible("query_category: too many categories");
-            return 0;
+            n = 0;
+            goto query_done;
         }
     } while (*pack);
 
@@ -1180,6 +1183,7 @@ int how;               /* type of query */
     }
     end_menu(win, qstr);
     n = select_menu(win, how, pick_list);
+ query_done:
     destroy_nhwindow(win);
     if (n < 0)
         n = 0; /* caller's don't expect -1 */