Fix buffer overruns in fairland for island size zero

Fairland creates islands with size 1 + random() % (2 * is - 1), where
"is" is either chosen by the user (fourth command line argument) or
defaults to half the continent size (second command line argument).
Negative values are silently replaced by zero.

Not only does value zero make no sense, it also breaks the code: the
island size is always one then (because random() % -1 is zero), but
allocate_memory() provides only space for zero sectors in sectx[],
secty[] and sectc[].  This leads to buffer overruns in try_to_grow(),
find_coast(), elevate_land, set_coastal_flags().  Can smash the heap.

Fix by changing the lower bound from zero to one.  Diagnosed with
valgrind.  Has always been broken.

diff --git a/src/util/fairland.c b/src/util/fairland.c
index 3b13d0dc4a2397d259168c595c912f488d5187a6..e4109f28666e362813e91e98285105c3245cd9dc 100644 (file)
--- a/src/util/fairland.c
+++ b/src/util/fairland.c
@@ -368,8 +368,8 @@ parse_args(int argc, char *argv[])
        is = atoi(argv[3]);
     else
        is = sc / 2;
-    if (is < 0)
-       is = 0;
+    if (is < 1)
+       is = 1;
 
     if (argc > 4)
        sp = atoi(argv[4]);