Prevent accessing outside the mons array

Fix another out-of-bounds error Monster trying to decide if a tin could cure stoning looking at a special or empty tin would do acidic(&mons[-1])
2019-12-20 15:16:12 +02:00
parent c8fbb3b7b1
commit f4ab235b81
3 changed files with 12 additions and 4 deletions
--- a/doc/fixes36.5
+++ b/doc/fixes36.5
@@ -7,6 +7,8 @@ produce 3.6.5 as well as any post-release fixes in binaries.
 General Fixes and Modified Features
 -----------------------------------
 have string_for_opt() return empty_optstr on failure
+fix accessing mons[-1] when trying to gate in a non-valid demon
+fix accessing mons[-1] when monster figures out if a tin cures stoning
 ensure existing callers of string_for_opt() check return value before using it
 fix potential buffer overflow in add_menu_coloring()
 fix potential buffer overflow in sym_val()
--- a/src/minion.c
+++ b/src/minion.c
@@ -78,11 +78,13 @@ struct monst *mon;
    if (is_dprince(ptr) || (ptr == &mons[PM_WIZARD_OF_YENDOR])) {
        dtype = (!rn2(20)) ? dprince(atyp) : (!rn2(4)) ? dlord(atyp)
                                                       : ndemon(atyp);
-        cnt = (!rn2(4) && is_ndemon(&mons[dtype])) ? 2 : 1;
+        cnt = ((dtype != NON_PM)
+               && !rn2(4) && is_ndemon(&mons[dtype])) ? 2 : 1;
    } else if (is_dlord(ptr)) {
        dtype = (!rn2(50)) ? dprince(atyp) : (!rn2(20)) ? dlord(atyp)
                                                        : ndemon(atyp);
-        cnt = (!rn2(4) && is_ndemon(&mons[dtype])) ? 2 : 1;
+        cnt = ((dtype != NON_PM)
+               && !rn2(4) && is_ndemon(&mons[dtype])) ? 2 : 1;
    } else if (is_ndemon(ptr)) {
        dtype = (!rn2(20)) ? dlord(atyp) : (!rn2(6)) ? ndemon(atyp)
                                                     : monsndx(ptr);
@@ -91,7 +93,8 @@ struct monst *mon;
        dtype = (is_lord(ptr) && !rn2(20))
                    ? llord()
                    : (is_lord(ptr) || !rn2(6)) ? lminion() : monsndx(ptr);
-        cnt = (!rn2(4) && !is_lord(&mons[dtype])) ? 2 : 1;
+        cnt = ((dtype != NON_PM)
+               && !rn2(4) && !is_lord(&mons[dtype])) ? 2 : 1;
    } else if (ptr == &mons[PM_ANGEL]) {
        /* non-lawful angels can also summon */
        if (!rn2(6)) {
@@ -107,7 +110,8 @@ struct monst *mon;
        } else {
            dtype = PM_ANGEL;
        }
-        cnt = (!rn2(4) && !is_lord(&mons[dtype])) ? 2 : 1;
+        cnt = ((dtype != NON_PM)
+               && !rn2(4) && !is_lord(&mons[dtype])) ? 2 : 1;
    }

    if (dtype == NON_PM)
--- a/src/muse.c
+++ b/src/muse.c
@@ -2325,6 +2325,8 @@ boolean tinok;
    if (obj->otyp != CORPSE && (obj->otyp != TIN || !tinok))
        return FALSE;
    /* corpse, or tin that mon can open */
+    if (obj->corpsenm == NON_PM) /* empty/special tin */
+        return FALSE;
    return (boolean) (obj->corpsenm == PM_LIZARD
                      || (acidic(&mons[obj->corpsenm])
                          && (obj->corpsenm != PM_GREEN_SLIME