Prevent extremely long command line arguments from overflowing local
buffers in raw_printf or config_error_add. The increased buffer
sizes they recently got to deal with long configuration file values
aren't sufficient to handle command line induced overflows.
choose_windows(core): copy and truncate the window_type argument in
case it gets passed to config_error_add().
process_options(unix): report bad values with "%.60s" so that vsprintf
will implicitly truncate when formatted by raw_printf().
Fix 'Bugs 4, 5, and 6' which all use a similar fix but would have
conflicts over '#define BIGBUFSZ' if committed separately.
Format ("short explanation %s", string_argument), where the
explanation always has modest length but the string is potentially
up to 4*BUFSZ in length, into a 5*BUFSZ buffer. Then truncate the
result to at most BUFSZ-1 characters so that it can be safely passed
to interface-specific putstr() or raw_print().
Applies to pline(), raw_printf(), and config_error_add(). Also done
for impossible() although there's no evidence that its buffer could
be overflowed in a controlled manner.
Fix 'Bug 3' where too long SYMBOL=string in run-time config file could
overflow a local buffer and clobber the stack.
Valid value is only one character long after processing an 'escaped'
encoded character which can be at most 6 characters (plus terminator):
backslash M backslash and up three digits. If/when UTF8 gets added
the number of digits will increase. Use a truncated copy of the input
(substantially bigger than 6+1); ignore any excess.
Fix 'Bug 2' where too long MENUCOLOR=string in run-time config file
could overflow a local buffer and clobber the stack.
Theoretically a menu coloring regular expression could require a
bigger buffer but I don't think we need to try to support that.
255 characters minus the amount needed to specify color and/or
attributes should be ample.
have string_for_opt() return the value string or empty_optstr to
provide some level of crash protection if some future added option
processing misbehaves. Callers of string_for_opt() and
string_for_env_opt() should always check for a match to empty_optstr.
Guard against potential bad arguments: first index greaer than last.
Return STRANGE_OBJECT instead of hardcoded 0 if it ever fails (which
should be impossible with good arguments).
Give 'novel' a 1 in 1000 chance of being created in place of each
random spellbook (except for hero's initial inventory and NPC
priests' monster inventory and divine reward for prayer--those all
force regular spellbooks; statue contents aren't among the
exceptions--those books can now be novels). Shop inventory (where
first book or scroll shop created is guaranteed one novel) hasn't
been touched. If there is any other special spellbook handling
somewhere, I've overlooked it.
Polymophed into a giant and moving onto a boulder's location could
yield "you easily pick it up" (without actually doing so) followed
by "you see a boulder here". It would happen if autopickup was Off,
or if the 'm' move-without-autopickup prefix was used, while either
boulder was included in pickup_types (including when that is set
for 'all') or hero had thrown that particular boulder and
pickup_thrown was On. The check for whether auto-pick should try
on an object relied on its caller verifying that autopickup was On.
pickup() does that for
pickup() -> autopick() -> autopick_testobj()
but moverock() wasn't doing that for
moverock() -> autopick_testobj()
so the logic controlling moverock's message was subverted.
I first thought that logic itself was incorrect and changed the
message. This keeps the new message even though it turned out not
to be cause of the problem.
Fixes#279
