out of bounds memory access during zap bounce

Apply the diff from entrez to deal with out of array bounds access by
wand or spell zap when deciding whether to bounce if that zap reached
the extreme edge of the map (not just the edge of the portion of the
map in use by current level).

diff --git a/doc/fixes3-7-0.txt b/doc/fixes3-7-0.txt
index 204ba151dad71d279d5bd718d2a88be4ed4f5ca4..8aee6bfddd43d7867257d1bda469a1108fb8a1ac 100644 (file)
--- a/doc/fixes3-7-0.txt
+++ b/doc/fixes3-7-0.txt
@@ -961,6 +961,8 @@ similarly, if #wizfliplevel was used to transpose an active level while a
        vauld guard was maintaining a temporary corridor or while a monster
        with eshk, epri, or egd data was off level, that data became invalid
 blessed potion of polymorph will prompt user for monster to poly into
+out of array bounds access attempt occurred when deciding whether to bounce
+       if wand or spell zap reached edge of map
 
 
 Fixes to 3.7.0-x Problems that Were Exposed Via git Repository

diff --git a/src/zap.c b/src/zap.c
index 06db5a3c2627e1c1cfa93d363ceac2e415ce12ab..7dd5b52985f3856dff0dcd40504d764a80f61c4b 100644 (file)
--- a/src/zap.c
+++ b/src/zap.c
@@ -4477,9 +4477,9 @@ dobuzz(
             boolean fireball;
 
  make_bounce:
-            bchance = (levl[sx][sy].typ == STONE) ? 10
-                : (In_mines(&u.uz) && IS_WALL(levl[sx][sy].typ)) ? 20
-                : 75;
+            bchance = (!isok(sx, sy) || levl[sx][sy].typ == STONE) ? 10
+                      : (In_mines(&u.uz) && IS_WALL(levl[sx][sy].typ)) ? 20
+                        : 75;
             bounce = 0;
             fireball = (type == ZT_SPELL(ZT_FIRE));
             if ((--range > 0 && isok(lsx, lsy) && cansee(lsx, lsy))
@@ -4532,16 +4532,12 @@ dobuzz(
     if (type == ZT_SPELL(ZT_FIRE))
         explode(sx, sy, type, d(12, 6), 0, EXPL_FIERY);
     if (shopdamage)
-        pay_for_damage(abstype == ZT_FIRE
-                          ? "burn away"
-                          : abstype == ZT_COLD
-                             ? "shatter"
-                             /* "damage" indicates wall rather than door */
-                             : abstype == ZT_ACID
-                                ? "damage"
-                                : abstype == ZT_DEATH
-                                   ? "disintegrate"
-                                   : "destroy",
+        pay_for_damage(abstype == ZT_FIRE ? "burn away"
+                       : abstype == ZT_COLD ? "shatter"
+                         /* "damage" indicates wall rather than door */
+                         : abstype == ZT_ACID ? "damage"
+                           : abstype == ZT_DEATH ? "disintegrate"
+                             : "destroy",
                        FALSE);
     g.bhitpos = save_bhitpos;
 }