From: PatR <rankin@nethack.org>
Date: Thu, 12 Jan 2023 11:12:56 +0000 (-0800)
Subject: fix github issue #955 - tile2bmp bounds failure
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a7756a132713e86ea0149ba620d5c8f8b1613c8f;p=nethack

fix github issue #955 - tile2bmp bounds failure

Issue reported by argrath:  building with 'address sanitizing'
reported tile2bmp writing out of array bounds after the addition
of the generic object tiles.

'MAGICTILENO' in tile2bmp.c is extremely fragile.  It was already
inaccurate before the generic tiles, but had a big enough value to
handle the final row of tiles prior to that.

Fixes #955
---

diff --git a/win/share/monsters.txt b/win/share/monsters.txt
index a652342ac..3496f08a9 100644
--- a/win/share/monsters.txt
+++ b/win/share/monsters.txt
@@ -1,3 +1,8 @@
+# monsters.txt - tile defintions for monsters
+#  Note: if the number of monster tiles, object tiles, or other tiles
+#  changes, 'MAGICTILENO' in tile2bmp.c needs to be updated to match!
+#  Note too: lines beginning with '# tile ' are not comments; other
+#  lines beginning with '#' are.
 . = (71, 108, 108)
 A = (0, 0, 0)
 B = (0, 182, 255)
diff --git a/win/share/objects.txt b/win/share/objects.txt
index ab01024d1..8d4bf8474 100644
--- a/win/share/objects.txt
+++ b/win/share/objects.txt
@@ -1,3 +1,8 @@
+# objects.txt - tile defintions for objects
+#  Note: if the number of monster tiles, object tiles, or other tiles
+#  changes, 'MAGICTILENO' in tile2bmp.c needs to be updated to match!
+#  Note too: lines beginning with '# tile ' are not comments; other
+#  lines beginning with '#' are.
 . = (71, 108, 108)
 A = (0, 0, 0)
 B = (0, 182, 255)
diff --git a/win/share/other.txt b/win/share/other.txt
index b3d4e3ebf..bde9d191c 100644
--- a/win/share/other.txt
+++ b/win/share/other.txt
@@ -1,3 +1,8 @@
+# other.txt - tile defintions for 'other' (walls, furniture, explosions)
+#  Note: if the number of monster tiles, object tiles, or other tiles
+#  changes, 'MAGICTILENO' in tile2bmp.c needs to be updated to match!
+#  Note too: lines beginning with '# tile ' are not comments; other
+#  lines beginning with '#' are.
 . = (71, 108, 108)
 A = (0, 0, 0)
 B = (0, 182, 255)
diff --git a/win/share/tile2bmp.c b/win/share/tile2bmp.c
index 1de3c6212..1548aabe5 100644
--- a/win/share/tile2bmp.c
+++ b/win/share/tile2bmp.c
@@ -56,7 +56,7 @@ extern char *tilename(int, int);
 /* The numbers in the following calculation are the
    count of tiles present in:
    monsters.txt objects.txt other.txt monsters.txt */
-#define MAGICTILENO (788 + 459 + 237 + 788)
+#define MAGICTILENO (789 + 477 + 240 + 789)
 
 #if BITCOUNT == 4
 #define MAX_X 320 /* 2 per byte, 4 bits per pixel */
@@ -230,7 +230,7 @@ main(int argc, char *argv[])
         exit(1);
     }
     while (pass < 4) {
-        filenum = pass % (sizeof(tilefiles) / sizeof(char *));
+        filenum = pass % (sizeof tilefiles / sizeof (char *));
         if (!fopen_text_file(tilefiles[filenum], RDTMODE)) {
             Fprintf(stderr, "usage: tile2bmp (from the util directory)\n");
             exit(EXIT_FAILURE);
@@ -260,6 +260,11 @@ main(int argc, char *argv[])
         set_grayscale(pass == 3);
         /* printf("Colormap initialized\n"); */
         while (read_text_tile(tilepixels)) {
+            if (tilecount >= MAGICTILENO) {
+                Fprintf(stderr, "tile2bmp: more than %d tiles!\n",
+                        MAGICTILENO);
+                exit(EXIT_FAILURE);
+            }
             build_bmptile(tilepixels);
             tilecount++;
 #if BITCOUNT == 4
@@ -275,7 +280,7 @@ main(int argc, char *argv[])
         (void) fclose_text_file();
         ++pass;
     }
-    fwrite(&bmp, sizeof(bmp), 1, fp);
+    fwrite(&bmp, sizeof bmp, 1, fp);
     fclose(fp);
     Fprintf(stderr, "Total of %d tiles written to %s.\n", tilecount, bmpname);
 
@@ -363,14 +368,15 @@ build_bmptile(pixel(*pixels)[TILE_X])
                     break;
             }
             if (cur_color >= num_colors)
-                Fprintf(stderr, "color not in colormap!\n");
+                Fprintf(stderr, "color not in colormap! (tile #%d)\n",
+                        tilecount);
             y = (MAX_Y - 1) - (cur_y + yoffset);
             apply_color = cur_color;
 #if BITCOUNT == 4
             x = (cur_x / 2) + xoffset;
-            bmp.packtile[y][x] = cur_x % 2
-                                     ? (uchar)(bmp.packtile[y][x] | cur_color)
-                                     : (uchar)(cur_color << 4);
+            bmp.packtile[y][x] = (cur_x % 2 != 0)
+                                    ? (uchar) (bmp.packtile[y][x] | cur_color)
+                                    : (uchar) (cur_color << 4);
 #else
             x = cur_x + xoffset;
             bmp.packtile[y][x] = (uchar) apply_color;
@@ -380,4 +386,3 @@ build_bmptile(pixel(*pixels)[TILE_X])
 }
 
 /*tile2bmp.c*/
-