From: nethack.allison <nethack.allison>
Date: Fri, 9 May 2003 03:55:33 +0000 (+0000)
Subject: next qbuf overflow
X-Git-Tag: MOVE2GIT~2010
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5353192bdaea4db6070b1956efc8e15472c3d67e;p=nethack

next qbuf overflow

By naming the candelabrum as long a name as the game will allow, and by naming a candle the longest name also, a qbuf overflow and crash is
triggered when you attach the candle to the candelabrum.
---

diff --git a/src/apply.c b/src/apply.c
index e4b7c0071..26e28dfcf 100644
--- a/src/apply.c
+++ b/src/apply.c
@@ -925,7 +925,9 @@ struct obj **optr;
 	}
 
 	Sprintf(qbuf, "Attach %s", the(xname(obj)));
-	Sprintf(eos(qbuf), " to %s?", the(xname(otmp)));
+	Sprintf(eos(qbuf), " to %s?",
+		safe_qbuf(qbuf, sizeof(" to ?"), the(xname(otmp)),
+			the(simple_typename(otmp->otyp)), "it"));
 	if(yn(qbuf) == 'n') {
 		if (!obj->lamplit)
 		    You("try to light %s...", the(xname(obj)));
@@ -2561,7 +2563,9 @@ do_break_wand(obj)
     char confirm[QBUFSZ], the_wand[BUFSZ], buf[BUFSZ];
 
     Strcpy(the_wand, yname(obj));
-    Sprintf(confirm, "Are you really sure you want to break %s?", the_wand);
+    Sprintf(confirm, "Are you really sure you want to break %s?",
+	safe_qbuf(confirm, sizeof("Are you really sure you want to break ?"),
+				the_wand, ysimple_name(obj), "the wand"));
     if (yn(confirm) == 'n' ) return 0;
 
     if (nohands(youmonst.data)) {