1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From: Ben Harris <bjh21@bjh21.me.uk>
Date: Sat, 7 Jan 2023 23:06:13 +0000
Subject: [PATCH 303/389] Sixteen: limit length of moves
Origin: https://git.tartarus.org/?p=simon/puzzles.git;a=commitdiff;h=023ce7554c19dcf6f4432407b9eedb850acc7289
Bug-Debian: https://bugs.debian.org/1028986
The code that actually executes the moves can only cope with moves of
at most the width (or height as appropriate) of the grid. Reject any
longer move, and for symmetry also negative moves of the same
magnitude.
Without this, the tile-moving code tends to access off the start of the
tile array. To demonstrate this, build Sixteen with AddressSanitizer
and load this save file:
SAVEFILE:41:Simon Tatham's Portable Puzzle Collection
VERSION :1:1
GAME :7:Sixteen
PARAMS :3:4x4
CPARAMS :3:4x4
DESC :38:2,16,3,10,13,8,7,4,9,14,12,11,15,1,5,6
NSTATES :1:2
STATEPOS:1:2
MOVE :4:C1,9
sixteen.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
@@ -747,11 +747,11 @@ static game_state *execute_move(const ga
}
if (move[0] == 'R' && sscanf(move+1, "%d,%d", &cy, &dx) == 2 &&
- cy >= 0 && cy < from->h) {
+ cy >= 0 && cy < from->h && -from->h <= dx && dx <= from->w ) {
cx = dy = 0;
n = from->w;
} else if (move[0] == 'C' && sscanf(move+1, "%d,%d", &cx, &dy) == 2 &&
- cx >= 0 && cx < from->w) {
+ cx >= 0 && cx < from->w && -from->h <= dy && dy <= from->h) {
cy = dx = 0;
n = from->h;
} else
|
