From 5fe41fbc3a95febedae9d4c6d57db79f516e1096 Mon Sep 17 00:00:00 2001 From: "John \"Elwin\" Edwards" Date: Wed, 5 Sep 2012 10:14:34 -0700 Subject: [PATCH] arogue5: fix the crash when checking prices in shops. A buffer called curpurch, which stores a description of an item in a trading post which the player might be interested in, was only 15 bytes. It was overflowing into oldrp, a room pointer, leading to segfaults. The size of curpurch has been increased to LINELEN*2, which matches the size of prbuf, which is returned by inv_name and then strcpy()'d to curpurch. As long as nothing overflows prbuf it should be safe now. NOTE that this breaks savefile compatibility. --- arogue5/rogue.c | 2 +- arogue5/state.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arogue5/rogue.c b/arogue5/rogue.c index 3de7605..24aa48f 100644 --- a/arogue5/rogue.c +++ b/arogue5/rogue.c @@ -65,7 +65,7 @@ int spell_power = 0; int turns = 0; /* Number of turns player has taken */ int quest_item = 0; /* Item player is looking for */ char nfloors = -1; /* Number of floors in this dungeon */ -char curpurch[15]; /* name of item ready to buy */ +char curpurch[LINELEN*2]; /* name of item ready to buy */ char PLAYER = VPLAYER; /* what the player looks like */ char take; /* Thing the rogue is taking */ char prbuf[LINELEN*2]; /* Buffer for sprintfs */ diff --git a/arogue5/state.c b/arogue5/state.c index ed32f81..9f18bab 100644 --- a/arogue5/state.c +++ b/arogue5/state.c @@ -2294,7 +2294,7 @@ rs_save_file(FILE *savef) rs_write_int(savef, turns); rs_write_int(savef, quest_item); rs_write_char(savef, nfloors); - rs_write(savef, curpurch, 15); + rs_write(savef, curpurch, LINELEN*2); rs_write_char(savef, PLAYER); rs_write_char(savef, take); rs_write(savef, prbuf, LINELEN); @@ -2420,7 +2420,7 @@ rs_restore_file(int inf) rs_read_int(inf, &turns); rs_read_int(inf, &quest_item); rs_read_char(inf, &nfloors); - rs_read(inf, &curpurch, 15); + rs_read(inf, &curpurch, LINELEN*2); rs_read_char(inf, &PLAYER); rs_read_char(inf, &take); rs_read(inf, &prbuf, LINELEN);