From a4c6f21b8e286322d3c1820785907a000fe1092f Mon Sep 17 00:00:00 2001
From: Ben Harris <bjh21@bjh21.me.uk>
Date: Tue, 14 Feb 2023 00:06:10 +0000
Subject: [PATCH] Net: validate co-ordinates in decode_ui()

The offset and centre location should be within the grid.  Otherwise the
redraw code will suffer an assertion failure.  This save file
demonstrates the problem:

SAVEFILE:41:Simon Tatham's Portable Puzzle Collection
VERSION :1:1
GAME    :3:Net
PARAMS  :4:5x5w
CPARAMS :4:5x5w
DESC    :25:9893e85285bb72e6de5182741
UI      :9:O0,0;C6,6
NSTATES :1:1
STATEPOS:1:1
---
 net.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/net.c b/net.c
index d920c5c..79e29d0 100644
--- a/net.c
+++ b/net.c
@@ -2044,8 +2044,20 @@ static char *encode_ui(const game_ui *ui)
 static void decode_ui(game_ui *ui, const char *encoding,
                       const game_state *state)
 {
-    sscanf(encoding, "O%d,%d;C%d,%d",
-	   &ui->org_x, &ui->org_y, &ui->cx, &ui->cy);
+    int org_x, org_y, cx, cy;
+
+    if (sscanf(encoding, "O%d,%d;C%d,%d", &org_x, &org_y, &cx, &cy) == 4) {
+        if (0 <= org_x && org_x < state->width &&
+            0 <= org_y && org_y < state->height) {
+            ui->org_x = org_x;
+            ui->org_y = org_y;
+        }
+        if (0 <= cx && cx < state->width &&
+            0 <= cy && cy < state->height) {
+            ui->cx = cx;
+            ui->cy = cy;
+        }
+    }
 }
 
 static void game_changed_state(game_ui *ui, const game_state *oldstate,