From: nethack.allison Date: Thu, 8 May 2003 02:25:19 +0000 (+0000) Subject: fix prompt string overflow in lift_object() X-Git-Tag: MOVE2GIT~2015 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=24f9f56006cd2cd686a772a1415678b51665fe01;p=nethack fix prompt string overflow in lift_object() wrote: > The game crashed badly when I made some experiments with items > with very long names: > > You have much trouble lifting a blessed greased thoroughly rusty >thoroughly corroded +3 plate mail named terribly long killer longer than my >ong long-worm called long. Continue? [ynq] (q) tty_yn_function(const char * 0x0012fa50, const char * 0x00572ddc _ynqchars, char 113) line 379 + 6 bytes lift_object(obj * 0x009e8970, obj * 0x00000000, long * 0x0012fcd0, char 0) line 1131 + 20 bytes pickup_object(obj * 0x009e8970, long 1, char 0) line 1258 + 19 bytes pickup(int 0) line 474 + 28 bytes dopickup() line 1853 + 11 bytes rhack(char * 0x005c0d50 in_line) line 1908 + 3 bytes moveloop() line 406 + 7 bytes main(int 3, char * * 0x009e2ac0) line 102 --- diff --git a/doc/fixes34.2 b/doc/fixes34.2 index 996900f07..4a58fce8b 100644 --- a/doc/fixes34.2 +++ b/doc/fixes34.2 @@ -50,6 +50,7 @@ give more explicit feedback for exploding bag of holding help display for "list of game options" misformats runmode and scroll_amount pit created by land mine explosion doesn't start out concealed update map display sooner when pushed boulder triggers land mine explosion +prevent fatal error from prompt string overflow in lift_object() Platform- and/or Interface-Specific Fixes diff --git a/doc/fixes35.0 b/doc/fixes35.0 index 3994c9062..f508fce4f 100644 --- a/doc/fixes35.0 +++ b/doc/fixes35.0 @@ -26,6 +26,7 @@ dust vortex-induced blindness should kick in immediately when blindfold is removed or glop is wiped off prayer/unicorn-horn won't fix blindness while still engulfed in a dust vortex since it will just return immediately +prevent fatal error from prompt string overflow in lift_object() Platform- and/or Interface-Specific Fixes diff --git a/src/pickup.c b/src/pickup.c index 90262c3f5..ba54adc2a 100644 --- a/src/pickup.c +++ b/src/pickup.c @@ -1122,12 +1122,18 @@ boolean telekinesis; } else { char qbuf[BUFSZ]; long savequan = obj->quan; + unsigned textleft; obj->quan = *cnt_p; - Sprintf(qbuf, "%s %s. Continue?", + Strcpy(qbuf, (next_encumbr > HVY_ENCUMBER) ? overloadmsg : (next_encumbr > MOD_ENCUMBER) ? nearloadmsg : - moderateloadmsg, doname(obj)); + moderateloadmsg); + textleft = QBUFSZ - (strlen(qbuf) + sizeof(" . Continue?")); + Sprintf(eos(qbuf), " %s. Continue?", + (strlen(doname(obj)) < textleft) ? doname(obj) : + (strlen(simple_typename(obj->otyp)) < textleft) ? + an(simple_typename(obj->otyp)) : something); obj->quan = savequan; switch (ynq(qbuf)) { case 'q': result = -1; break;