From: nethack.allison <nethack.allison>
Date: Fri, 1 Feb 2002 00:36:54 +0000 (+0000)
Subject: fix crash during Drop unpaid
X-Git-Tag: MOVE2GIT~3306
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1c562198f595a8024101058acf4b9352d7609c88;p=nethack

fix crash during Drop unpaid
The patch is attached. Array bounds went unchecked in
the menu page operations (, \ ~)  This resulted in
memory corruption.

The actual crash depends on your luck actually. It will
only crash if  heap headers are corrupted, otherwise it
can go unnoticed.  When you do "Du," the list page size
is 18 (on my screen) with only 2 items in the menu. The
program assigned count of -1 to 18 items in the array
of 2. Ka-boom.  I put bounds checking code in several
places.  The window size does not have anything to do
with it.

<Someone>.
---

diff --git a/win/win32/mhmenu.c b/win/win32/mhmenu.c
index de1545711..3c1fe47af 100644
--- a/win/win32/mhmenu.c
+++ b/win/win32/mhmenu.c
@@ -879,11 +879,14 @@ BOOL onListChar(HWND hWnd, HWND hwndList, WORD ch)
 
 	case MENU_SELECT_PAGE:
 		if( data->how == PICK_ANY ) {
+			int from, to;
 			reset_menu_count(hwndList, data);
 			topIndex = ListView_GetTopIndex( hwndList );
 			pageSize = ListView_GetCountPerPage( hwndList );
-			for(i=0; i<pageSize; i++ ) {
-				SelectMenuItem(hwndList, data, topIndex+i, -1);
+			from = max(0, topIndex);
+			to = min(data->menu.size, from+pageSize);
+			for(i=from; i<to; i++ ) {
+				SelectMenuItem(hwndList, data, i, -1);
 			}
 			return -2;
 		}
@@ -891,11 +894,14 @@ BOOL onListChar(HWND hWnd, HWND hwndList, WORD ch)
 
 	case MENU_UNSELECT_PAGE:
 		if( data->how == PICK_ANY ) {
+			int from, to;
 			reset_menu_count(hwndList, data);
 			topIndex = ListView_GetTopIndex( hwndList );
 			pageSize = ListView_GetCountPerPage( hwndList );
-			for(i=0; i<pageSize; i++ ) {
-				SelectMenuItem(hwndList, data, topIndex+i, 0);
+			from = max(0, topIndex);
+			to = min(data->menu.size, from+pageSize);
+			for(i=from; i<to; i++ ) {
+				SelectMenuItem(hwndList, data, i, 0);
 			}
 			return -2;
 		}
@@ -903,15 +909,18 @@ BOOL onListChar(HWND hWnd, HWND hwndList, WORD ch)
 
 	case MENU_INVERT_PAGE:
 		if( data->how == PICK_ANY ) {
+			int from, to;
 			reset_menu_count(hwndList, data);
 			topIndex = ListView_GetTopIndex( hwndList );
 			pageSize = ListView_GetCountPerPage( hwndList );
-			for(i=0; i<pageSize; i++ ) {
+			from = max(0, topIndex);
+			to = min(data->menu.size, from+pageSize);
+			for(i=from; i<to; i++ ) {
 				SelectMenuItem(
 					hwndList, 
 					data, 
-					topIndex+i, 
-					NHMENU_IS_SELECTED(data->menu.items[topIndex+i])? 0 : -1
+					i, 
+					NHMENU_IS_SELECTED(data->menu.items[i])? 0 : -1
 				);
 			}
 			return -2;
@@ -1096,6 +1105,9 @@ void mswin_menu_window_size (HWND hWnd, LPSIZE sz)
 void SelectMenuItem(HWND hwndList, PNHMenuWindow data, int item, int count)
 {
 	int i;
+
+	if( item<0 || item>=data->menu.size ) return;
+
 	if( data->how==PICK_ONE && count!=0 ) {
 		for(i=0; i<data->menu.size; i++) 
 			if( item!=i && data->menu.items[i].count!=0 ) {
@@ -1190,3 +1202,4 @@ LRESULT CALLBACK NHMenuTextWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARA
 	else 
 		return 0;
 }
+