karzes@mfci.UUCP (Tom Karzes) (08/01/89)
When running ularn on one of our machines, I noticed a few instances where
mistyping the name of a spell caused an addressing error. It turns out
that there are a few places in the code where the list of spells is
incorrectly searched, resulting in an attempt to index past the end of
the array.
There are SPNUM spells, numbered from 0 to SPNUM-1. In a couple places
in monster.c and one place in object.c, the spells are incorrectly treated
as being numbered from 0 to SPNUM, inclusive, for a total of SPNUM+1 spells.
This obviously doesn't work.
In function "cast" in monster.c we have:
for (lprc('\n'),j= -1,i=0; i<SPNUM+1; i++)
if ((spelcode[i][0]==a) && (spelcode[i][1]==b) && (spelcode[i][2]==d))
if (spelknow[i]) {
speldamage(i);
j = 1;
i=SPNUM+1;
}
The two instances of SPNUM+1 should be changed to SPNUM as shown below:
for (lprc('\n'),j= -1,i=0; i<SPNUM; i++)
if ((spelcode[i][0]==a) && (spelcode[i][1]==b) && (spelcode[i][2]==d))
if (spelknow[i]) {
speldamage(i);
j = 1;
i=SPNUM;
}
(Actually the assignment "i=SPNUM" could use SPNUM-1, or better yet could
simply be a break statement, but I'm really only concerned with correctness
here. In fact, SPNUM+1 is actually ok in the assignment, since it's only
being used to force a premature exit. It's the exit test that causes
problems.)
Similarly, at the top of function "speldamage" in monster.c we have:
if (x>=SPNUM+1) return; /* no such spell */
This should be:
if (x>=SPNUM) return; /* no such spell */
Finally, in the brass lamp code in function "lookforobject" in object.c we have:
for (lprc('\n'),i=0; i<SPNUM+1; i++)
if ((spelcode[i][0]==a)
&& (spelcode[i][1]==b)
&& (spelcode[i][2]==d)) {
spelknow[i]=1;
This should be:
for (lprc('\n'),i=0; i<SPNUM; i++)
if ((spelcode[i][0]==a)
&& (spelcode[i][1]==b)
&& (spelcode[i][2]==d)) {
spelknow[i]=1;