From caa8b06d4f17a7aaca5e956ce9d83263c9d463d2 Mon Sep 17 00:00:00 2001 From: Alexander Batalov Date: Sat, 29 Oct 2022 18:14:49 +0300 Subject: [PATCH] Fix UB when parsing encounter table --- src/worldmap.cc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/worldmap.cc b/src/worldmap.cc index 2a46d59..2821c4f 100644 --- a/src/worldmap.cc +++ b/src/worldmap.cc @@ -1397,7 +1397,17 @@ static int wmParseEncounterTableIndex(EncounterEntry* entry, char* string) if (strstr(string, "special")) { entry->flags |= ENCOUNTER_ENTRY_SPECIAL; - string += 8; + + // CE: Original code unconditionally consumes 8 characters, which is + // right when "special" is followed by conditions (separated with + // comma). However when "special" is the last keyword (which I guess + // is wrong, but present in worldmap.txt), consuming 8 characters + // sets pointer past NULL terminator, which can lead to many bad + // things (UB). + string += 7; + if (*string != '\0') { + string++; + } } if (string != NULL) {