From 023ce7554c19dcf6f4432407b9eedb850acc7289 Mon Sep 17 00:00:00 2001 From: Ben Harris Date: Sat, 7 Jan 2023 23:06:13 +0000 Subject: [PATCH] Sixteen: limit length of moves The code that actually executes the moves can only cope with moves of at most the width (or height as appropriate) of the grid. Reject any longer move, and for symmetry also negative moves of the same magnitude. Without this, the tile-moving code tends to access off the start of the tile array. To demonstrate this, build Sixteen with AddressSanitizer and load this save file: SAVEFILE:41:Simon Tatham's Portable Puzzle Collection VERSION :1:1 GAME :7:Sixteen PARAMS :3:4x4 CPARAMS :3:4x4 DESC :38:2,16,3,10,13,8,7,4,9,14,12,11,15,1,5,6 NSTATES :1:2 STATEPOS:1:2 MOVE :4:C1,9 --- sixteen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sixteen.c b/sixteen.c index b44e925..aa10f4a 100644 --- a/sixteen.c +++ b/sixteen.c @@ -762,11 +762,11 @@ static game_state *execute_move(const game_state *from, const char *move) } if (move[0] == 'R' && sscanf(move+1, "%d,%d", &cy, &dx) == 2 && - cy >= 0 && cy < from->h) { + cy >= 0 && cy < from->h && -from->h <= dx && dx <= from->w ) { cx = dy = 0; n = from->w; } else if (move[0] == 'C' && sscanf(move+1, "%d,%d", &cx, &dy) == 2 && - cx >= 0 && cx < from->w) { + cx >= 0 && cx < from->w && -from->h <= dy && dy <= from->h) { cy = dx = 0; n = from->h; } else