#adjust bounds bug

     Noticed while looking at something else:  doorganize() goes out of
array bounds for alphabet[] when inventory contains something in the '#'
slot, or in the '$' slot for GOLDOBJ config.  Both # and $ pass the
(let <= 'Z') test, then produce a negative result for (let - 'A' + 26).
In my case, it was harmlessly clobbering the tail end of buf[] but it
could potentially be a lot worse.

diff --git a/src/invent.c b/src/invent.c
index 0d1475a288064d38ec1d9089f2da8a70b779c00d..2eb120f26b6f36504cc06fd771fd2b46a0cb4c7a 100644 (file)
--- a/src/invent.c
+++ b/src/invent.c
@@ -1,4 +1,4 @@
-/*     SCCS Id: @(#)invent.c   3.5     2007/01/02      */
+/*     SCCS Id: @(#)invent.c   3.5     2007/06/04      */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /* NetHack may be freely redistributed.  See license for details. */
 
@@ -2937,11 +2937,13 @@ doorganize()    /* inventory organizer by Del Lamb */
        /* blank out all the letters currently in use in the inventory */
        /* except those that will be merged with the selected object   */
        for (otmp = invent; otmp; otmp = otmp->nobj)
-               if (otmp != obj && !mergable(otmp,obj)) {
-                       if (otmp->invlet <= 'Z')
-                               alphabet[(otmp->invlet) - 'A' + 26] = ' ';
-                       else    alphabet[(otmp->invlet) - 'a']      = ' ';
-               }
+           if (otmp != obj && !mergable(otmp, obj)) {
+               let = otmp->invlet;
+               if (let >= 'a' && let <= 'z')
+                   alphabet[let - 'a'] = ' ';
+               else if (let >= 'A' && let <= 'Z')
+                   alphabet[let - 'A' + 26] = ' ';
+           }
 
        /* compact the list by removing all the blanks */
        for (ix = cur = 0; alphabet[ix]; ix++)