From: PatR <rankin@nethack.org>
Date: Thu, 14 Jul 2022 22:17:30 +0000 (-0700)
Subject: out of bounds memory access during zap bounce
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5ddf8c98158e37189b562bee7fdb7632798f7393;p=nethack

out of bounds memory access during zap bounce

Apply the diff from entrez to deal with out of array bounds access by
wand or spell zap when deciding whether to bounce if that zap reached
the extreme edge of the map (not just the edge of the portion of the
map in use by current level).
---

diff --git a/doc/fixes3-7-0.txt b/doc/fixes3-7-0.txt
index 204ba151d..8aee6bfdd 100644
--- a/doc/fixes3-7-0.txt
+++ b/doc/fixes3-7-0.txt
@@ -961,6 +961,8 @@ similarly, if #wizfliplevel was used to transpose an active level while a
 	vauld guard was maintaining a temporary corridor or while a monster
 	with eshk, epri, or egd data was off level, that data became invalid
 blessed potion of polymorph will prompt user for monster to poly into
+out of array bounds access attempt occurred when deciding whether to bounce
+	if wand or spell zap reached edge of map
 
 
 Fixes to 3.7.0-x Problems that Were Exposed Via git Repository
diff --git a/src/zap.c b/src/zap.c
index 06db5a3c2..7dd5b5298 100644
--- a/src/zap.c
+++ b/src/zap.c
@@ -4477,9 +4477,9 @@ dobuzz(
             boolean fireball;
 
  make_bounce:
-            bchance = (levl[sx][sy].typ == STONE) ? 10
-                : (In_mines(&u.uz) && IS_WALL(levl[sx][sy].typ)) ? 20
-                : 75;
+            bchance = (!isok(sx, sy) || levl[sx][sy].typ == STONE) ? 10
+                      : (In_mines(&u.uz) && IS_WALL(levl[sx][sy].typ)) ? 20
+                        : 75;
             bounce = 0;
             fireball = (type == ZT_SPELL(ZT_FIRE));
             if ((--range > 0 && isok(lsx, lsy) && cansee(lsx, lsy))
@@ -4532,16 +4532,12 @@ dobuzz(
     if (type == ZT_SPELL(ZT_FIRE))
         explode(sx, sy, type, d(12, 6), 0, EXPL_FIERY);
     if (shopdamage)
-        pay_for_damage(abstype == ZT_FIRE
-                          ? "burn away"
-                          : abstype == ZT_COLD
-                             ? "shatter"
-                             /* "damage" indicates wall rather than door */
-                             : abstype == ZT_ACID
-                                ? "damage"
-                                : abstype == ZT_DEATH
-                                   ? "disintegrate"
-                                   : "destroy",
+        pay_for_damage(abstype == ZT_FIRE ? "burn away"
+                       : abstype == ZT_COLD ? "shatter"
+                         /* "damage" indicates wall rather than door */
+                         : abstype == ZT_ACID ? "damage"
+                           : abstype == ZT_DEATH ? "disintegrate"
+                             : "destroy",
                        FALSE);
     g.bhitpos = save_bhitpos;
 }