github pull request #406 - polyfodder() macro

Some eggs and tins could cause an out of bounds index into the
mons[] array.  Post-3.6 bug: the faulty part of the test is only
relevant for 3.7 genetic engineer monster.  Earlier versions just
called pm_to_cham() which does it's own index validation.

Fixes #406

diff --git a/doc/fixes37.0 b/doc/fixes37.0
index 4eb6b906249d9b1878eb026f3335d92cbdf9ccef..455db9ee2e0dbcadf73c7301824157e29acc4c15 100644 (file)
--- a/doc/fixes37.0
+++ b/doc/fixes37.0
@@ -1,4 +1,4 @@
-NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.347 $ $NHDT-Date: 1604619327 2020/11/05 23:35:27 $
+NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.348 $ $NHDT-Date: 1604620981 2020/11/06 00:03:01 $
 
 General Fixes and Modified Features
 -----------------------------------
@@ -373,6 +373,8 @@ learn scroll of teleportation after reading even when random destination is
 fix off-by-one bug in dimensions of theme rooms
 fire/frost horn feedback when zapped by monster was inaccurate (falsely
        claimed that it was "directed at self" when attacking hero)
+tins of spinach and 'dead' eggs could cause out of array bounds access
+       attempting to index into mons[] by polyfodder() macro
 
 curses: 'msg_window' option wasn't functional for curses unless the binary
        also included tty support

diff --git a/include/obj.h b/include/obj.h
index 69ab173f8589552c58cacbc0cce84db0aea80f9b..3504992d6cbefc1c5ea7cf4ec129413e5053ac93 100644 (file)
--- a/include/obj.h
+++ b/include/obj.h
@@ -1,4 +1,4 @@
-/* NetHack 3.7 obj.h   $NHDT-Date: 1604442292 2020/11/03 22:24:52 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.78 $ */
+/* NetHack 3.7 obj.h   $NHDT-Date: 1604620981 2020/11/06 00:03:01 $  $NHDT-Branch: NetHack-3.7 $:$NHDT-Revision: 1.79 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Michael Allison, 2006. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -247,13 +247,16 @@ struct obj {
 #define stale_egg(egg) \
     ((g.monstermoves - (egg)->age) > (2 * MAX_EGG_HATCH_TIME))
 #define ofood(o) ((o)->otyp == CORPSE || (o)->otyp == EGG || (o)->otyp == TIN)
+    /* note: sometimes eggs and tins have special corpsenm values that
+       shouldn't be used as an index into mons[]                       */
 #define polyfodder(obj) \
-    (ofood(obj) && (pm_to_cham((obj)->corpsenm) != NON_PM       \
+    (ofood(obj) && (obj)->corpsenm >= LOW_PM                            \
+     && (pm_to_cham((obj)->corpsenm) != NON_PM                          \
                     || dmgtype(&mons[(obj)->corpsenm], AD_POLY)))
 #define mlevelgain(obj) (ofood(obj) && (obj)->corpsenm == PM_WRAITH)
 #define mhealup(obj) (ofood(obj) && (obj)->corpsenm == PM_NURSE)
-#define Is_pudding(o)                                                 \
-    (o->otyp == GLOB_OF_GRAY_OOZE || o->otyp == GLOB_OF_BROWN_PUDDING \
+#define Is_pudding(o) \
+    (o->otyp == GLOB_OF_GRAY_OOZE || o->otyp == GLOB_OF_BROWN_PUDDING   \
      || o->otyp == GLOB_OF_GREEN_SLIME || o->otyp == GLOB_OF_BLACK_PUDDING)
 
 /* Containers */