arogue5: fix the crash when checking prices in shops.
A buffer called curpurch, which stores a description of an item in a trading post which the player might be interested in, was only 15 bytes. It was overflowing into oldrp, a room pointer, leading to segfaults. The size of curpurch has been increased to LINELEN*2, which matches the size of prbuf, which is returned by inv_name and then strcpy()'d to curpurch. As long as nothing overflows prbuf it should be safe now. NOTE that this breaks savefile compatibility.
This commit is contained in:
John "Elwin" Edwards
parent
f56c5bd801
commit
5fe41fbc3a
2 changed files with 3 additions and 3 deletions
|
|
@ -65,7 +65,7 @@ int spell_power = 0;
|
|||
int turns = 0; /* Number of turns player has taken */
|
||||
int quest_item = 0; /* Item player is looking for */
|
||||
char nfloors = -1; /* Number of floors in this dungeon */
|
||||
char curpurch[15]; /* name of item ready to buy */
|
||||
char curpurch[LINELEN*2]; /* name of item ready to buy */
|
||||
char PLAYER = VPLAYER; /* what the player looks like */
|
||||
char take; /* Thing the rogue is taking */
|
||||
char prbuf[LINELEN*2]; /* Buffer for sprintfs */
|
||||
|
|
|
|||
|
|
@ -2294,7 +2294,7 @@ rs_save_file(FILE *savef)
|
|||
rs_write_int(savef, turns);
|
||||
rs_write_int(savef, quest_item);
|
||||
rs_write_char(savef, nfloors);
|
||||
rs_write(savef, curpurch, 15);
|
||||
rs_write(savef, curpurch, LINELEN*2);
|
||||
rs_write_char(savef, PLAYER);
|
||||
rs_write_char(savef, take);
|
||||
rs_write(savef, prbuf, LINELEN);
|
||||
|
|
@ -2420,7 +2420,7 @@ rs_restore_file(int inf)
|
|||
rs_read_int(inf, &turns);
|
||||
rs_read_int(inf, &quest_item);
|
||||
rs_read_char(inf, &nfloors);
|
||||
rs_read(inf, &curpurch, 15);
|
||||
rs_read(inf, &curpurch, LINELEN*2);
|
||||
rs_read_char(inf, &PLAYER);
|
||||
rs_read_char(inf, &take);
|
||||
rs_read(inf, &prbuf, LINELEN);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue