From: Simon Tatham Date: Wed, 21 Oct 2015 17:32:15 +0000 (+0100) Subject: Fix array overruns in the new Filling solver pass. X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=sgt-puzzles.git;a=commitdiff_plain;h=1cf403ceb81482dea7107a49573d6834c5a650d1 Fix array overruns in the new Filling solver pass. Probably because I wrote a couple of loops up to the maximum cell value using the non-idiomatic <= for their termination test, I also managed to use <= inappropriately for iterating over every cell of the grid, leading to a couple of references just off the end of arrays. Amusingly, it was the Emscripten front end which pointed this out to me by actually crashing as a result! Though valgrind found it just fine too, once I thought to run that. But it comes to something when running your C program in Javascript detects your memory errors :-) --- diff --git a/filling.c b/filling.c index 2edec91..3797e5c 100644 --- a/filling.c +++ b/filling.c @@ -977,7 +977,7 @@ static int learn_bitmap_deductions(struct solver_state *s, int w, int h) * reached by extending an existing region - we don't need to * know exactly _how far_ out of reach it is. */ - for (i = 0; i <= sz; i++) { + for (i = 0; i < sz; i++) { if (s->board[i] == n) { /* Square is part of an existing CC. */ minsize[i] = dsf_size(s->dsf, i); @@ -1024,7 +1024,7 @@ static int learn_bitmap_deductions(struct solver_state *s, int w, int h) * in the bitmap reinstated, because we've found that it's * potentially reachable by extending an existing CC. */ - for (i = 0; i <= sz; i++) + for (i = 0; i < sz; i++) if (minsize[i] <= n) bm[i] |= 1<