micro fopenp() fix

     From a bug report.  I can't test this fix, but
inspection of the code shows that his suggested fix is clearly
necessary.  Once `bp' gets incremented, storing via `bp[BUFSZ-1]'
writes beyond the bounds of `buf' and clobbers something.

diff --git a/doc/fixes33.2 b/doc/fixes33.2
index c71af1a957a2f86201c7d6beb9ad212912d88010..7d78288a346b75ad055db21559ebb7afc9b73275 100644 (file)
--- a/doc/fixes33.2
+++ b/doc/fixes33.2
@@ -428,6 +428,7 @@ win32/tty: menus can take advantage of consoles larger than 80x25
 win32/tty: add support for inverse attribute
 micro: prevent a guaranteed impossible() if we ever have more than (COLNO - 1) 
        levels in the game
+micro: fix out of bounds memory modification for file opens via PATH
 msdos: placeholder tiles accepted by the thin tile builder
 X11: viewport scrolling could scroll the the wrong place with resized window
 X11: allow extra space added to map widget to be removed if widget shrinks

diff --git a/sys/share/pcsys.c b/sys/share/pcsys.c
index b2c9cee3ab79e13000913ef2416ef120352ddc92..69c30f6f66f7eeb2f5db0d12509c87c4aa4a3990 100644 (file)
--- a/sys/share/pcsys.c
+++ b/sys/share/pcsys.c
@@ -1,4 +1,4 @@
-/*     SCCS Id: @(#)pcsys.c    3.3     1999/12/10                */
+/*     SCCS Id: @(#)pcsys.c    3.3     2002/01/22                */
 /* NetHack may be freely redistributed.  See license for details. */
 
 /*
@@ -451,7 +451,7 @@ const char *name, *mode;
                                ccnt++;
                        }
                        (void) strncpy(bp, name, (BUFSIZ - ccnt) - 2);
-                       bp[BUFSIZ-1] = '\0';
+                       bp[BUFSIZ - ccnt - 1] = '\0';
                        if ((fp = fopen(buf, mode)))
                                return fp;
                        if (*pp)