copy_utf8_to_ascii_no_funny() eats the character following a replaced
non-ASCII character. Buffer overrun possible when the terminating
zero gets eaten. Broken in commit b5ff7e3b, v4.2.21.
Affected commands:
* players column "last command" in ASCII sessions: struct player
member combuf is UTF-8, uprnf() filters to ASCII.
* read in ASCII sessions: telegram chunks are UTF-8, uprnf() filters
to ASCII.
* flash and wall with message argument in ASCII sessions: argument is
used raw, i.e. UTF-8, pr_flash() filters to ASCII. Safe as long as
we have input filtering sanitizing the raw argument. command() does
that, but execute() doesn't (bug, to be fixed in a later commit).
* execute prompting for its argument in UTF-8 sessions: prmptrd()
receives user text, and filters to ASCII.
Unaffected:
* dispatch() argument redir is UTF-8, uprnf() can filter to ASCII.
Safe as long as we have input filtering sanitizing the raw argument.
command() does that. execute() doesn't, but rejects redirections
before calling dispatch().
* getele() buffer is UTF-8, uprnf() can filter to ASCII. Safe,
because its contents comes from uprmptrd(), which filters input.
Fix xundump's "value must match" check for split tables
The check applies to selectors with flag NSC_CONST set. It permits
initializing them in new objects, but prevents changing them in
existing objects. For split tables, initialization worked only in the
first part, because new objects were considered old in later parts.
For instance, in a custom config sect-chr with mnem in the second
part's field 2, new sector types were rejected with `Value for field 2
must be ""'.
"version" is a normal table since commit da8a1dae, v4.3.12. xdump.pl
wasn't updated for that, and queried the version table twice. When
the deprecated special "xdump ver" was removed in commit 78b3af20
(v4.3.27), the extra query broke. Remove it.
Fix empdump not to touch plane file when import fails
pln_zap_transient_flags() fixes up planes stuck in the air (commit 7ca4f412, v4.3.12). Since commit 4e9e58bf (v4.3.14), it writes back
the fixed planes. This is wrong for empdump.
empdump should touch data only on successful import. When it fails
because ef_verify() fails, and any planes are found stuck in the air,
the plane file gets rewritten.
Make parameter ef_verify() take parameter may_put to let empdump
suppress the plane write-back. The plane file still get written out
on successful import, along with the other imported game state.
Verify game state and configuration reference sanity
Table elements reference other table elements. Bad things happen when
references dangle. ef_verify() already checks whether the referenced
table elements exist. This commit makes it check whether the elements
are "in use". This catches stuff like living planes on dead carriers.
verify_row() refrains from rejecting zero uids, because some tables
may contain blank entries, with zero uid.
Change it to check only header sanity for entries that are not in use.
This filters out all legitimately blank entries. Tighten up the uid
check.
For computing "in use", factor empobj_in_use() out of xdvisible().
Note that xdvisible()'s case EF_COUNTRY doesn't bother to check
nat_stat, because that's implied by what it does check. It's not
implied in empobj_in_use(), so add it there.
Trade ships are now enabled when a ship type with capability trade
exists. No such type exists by default; to enable trade ships,
deities have to customize table ship-chr.
Before, trade ship types were ignored when option TRADESHIPS was
disabled. Except for xdump ship-chr, which happily dumped unusable
trade ship types.
Only trade ships can be auto-scuttled. orde() rejects scuttle orders
for other ships. scuttle_it() double-checks, but gets the test wrong:
it rejects only when opt_TRADESHIPS is enabled. Fix that. While
there, make it oops on inadmissible ships.
Fix how configuration tables and empdump treat omitted entries
Change xundump to blank out omitted rows. Before, they were left
alone. Impact:
* No change for reading builtin tables.
* Reading custom tables now replaces the builtin tables instead of
sort-of-merging them. Wasn't a real merge, because it dropped
builtin entries after the last custom entry, except for
non-truncatable tables item, sect-chr and infrastructure.
* empdump -i now replaces the old state instead of sort-of-merging the
dump into the old state. Wasn't a real merge, because it dropped
old state entries after the last entry in the dump, except for the
fixed-size tables sect, nat, realm and game.
Don't misinterpret blank configuration entries as sentinels
Configuration table entries not defined by builtin and custom
configuration files remain blank. They get misinterpreted as sentinel
in tables that use one. Affected are tables product, ship-chr,
plane-chr, land-chr and nuke-chr. Tables item, sect-chr and
infrastructure are immune despite using a sentinel, because omitting
entries is not permitted there.
Code relying on the sentinel fails to pick up entries after the first
blank one. They don't get set up correctly, they're invisible to
build and show, and not recognized as symbolic selector values (the
frg in ship ?type=frg). xdump is fine, because it doesn't rely on
sentinels. It dumps blank entries normally.
The bugs don't bite in the stock game, because the builtin
configuration files are all dense.
The sentinels are all null strings. Set them to "" in the affected
tables' oninit callback. Fix up code iterating over the tables to
ignore such entries. This is precisely the code relying on sentinels,
plus xdump's xdvisible().
Permit omitting rows at the end of tables nat and game
When not enough rows are supplied for a table with fixed size, treat
the rows missing at the end just like rows omitted elsewhere: make
them blank if the omission is permitted (tables nat and game), else
fail (tables sect and realm; no change).
Forbid omitting rows for tables with const fields: item and sect-chr.
This is consistent with the rule for truncation.
The server expects certain entries in these two tables, and
malfunctions when they're blank. Omitting them in the builtin tables
has always left them blank, but deities are not supposed to edit them,
and maintainers are supposed to know what they're doing, so the issue
was deemed unimportant and ignored. However, I plan to blank out
omitted rows in custom tables as well, and then the issue isn't
unimportant anymore.
Truncating is actually fine for table product. It's forbidden because
selector sname has flag NSC_CONST set. I don't remember why sname was
made const in commit 445dfec9 along with item selector mnem, sect-chr
selector mnem and infrastructure selector name. Unlike the other
tables, no code depends on product's builtin values. Clear the flag.
Overhaul how xundump keeps track of current object
Factor tracking of cur_type, cur_obj, cur_id and cur_is_blank into a
set of functions. They replace getobj(). While there, improve some
error messages.
Move pln_oninit(), lnd_oninit(), nuk_oninit() to filetable.c
They set up invariants, and thus should be always active, not just in
the server. Since ef_blank() isn't used for these files outside the
server right now, this isn't a bug fix, just cleanup.
Move file initialization from files.c to empfile oninit()
files.c writes initial contents to game state files with fixed size.
Necessary for setting up invariants, such as struct sctstr members
sct_x, sct_y matching sct_uid.
Do that from the oninit() callback, so ef_blank() sets up invariants
correctly. Since ef_blank() isn't used for these files right now,
this isn't a bug fix, just cleanup.
Instead of stuffing NULL initializers into the cache initializer
macros UNMAPPED_CACHE(), ARRAY_CACHE(), PTR_CACHE(), ARRAY_TABLE().
In preparation of having some non-NULL initializers.
Fix empdump not to grow game state files with fixed size
empdump -i now complains about extra rows instead of silently growing
the file to a size the server will reject. Affects tables sector,
nation, realms, game.
Bonus fix: better error message on I/O error or insufficient memory.
Fix empdump not to truncate game state files with fixed size
empdump -i now complains about missing rows instead of silently
truncating the file to a size the server will reject. Affects tables
sector, nation, realms, game.
New struct empfile member nent replaces ef_open() parameter nelt.
Cleaner, because the expected size is a property of the file, not of
how it's used. Also fixes empdump to check file sizes.
Complication: with EFF_CREATE, ef_open() creates an empty file, to be
extended to the correct size. Callers passed nelt argument -1 along
with EFF_CREATE, to make ef_open() accept the empty file. Can't do
the same for empfile member nent. Instead, make ef_open() not check
the (zero) size then.
ef_verify() assumes views are open. Bug is harmless, because
ef_nelem() returns zero for closed views, and ef_verify() accesses
only immutable parts of struct empfile then.
New struct empfile member base replaces ef_open_view() parameter base.
Cleaner, because the base table is a property of the view, not of how
it's used.
Use it to clean up verify_fail()'s base table access, and for extra
sanity checks in ef_open() and ef_open_view().
Change struct empfile callback onresize() to return void
ef_open() handles onresize() failing incorrectly. Instead of fixing
that, drop the failure mode. It's not really used: unit_onresize()
fails only when used incorrectly. It isn't. If it ever is, ignoring
the failure is safe.
Make ef_close() clear them always, even for views. Harmless, as
ef_open_view() always sets the same flags.
Drop redundant assignment to ep->flags in ef_open(). ef_close()
clears mutable flags, no need to clear them some more right before
calling it. Missed in commit 3eb3607f, v4.3.0.
ef_open() and ef_close() clear EFF_SENTINEL because of that. Broken
since commit 1492845c (v4.3.17) added EFF_SENTINEL. Harmless, as no
file-backed table has a sentinel.
Fix ef_open()'s error message for file larger than static cache
The message claims the file is larger than it actually is. Broken
since commit 71908018 (v4.3.0) implemented static cache in ef_open().
Harmless, because no file-backed table has a statically allocated
cache.
Fix how empdump rejects attempt to split table sect
Split tables require the record index in the leftmost column.
defellipsis() correctly rejects "..." when the table doesn't have one.
It fails to reject it when it has one that is NSC_EXTRA, and thus not
permitted in a dump. This is the case for table sect. defellipsis()
happily succeeds, then chkflds() demands column "uid" if it's missing,
and rejects it if its present.
It missed those with more flags than just NSC_EXTRA set: table sect
name uid, table nat names passwd, xorg, yorg, contacts, rejects.
Since xundump() doesn't provide space for these, the bug could lead to
buffer overruns. Fixes flawed commit 726a8e3d, v4.3.12.
xubody() neglected to check ef_truncate()'s return value. Two failure
modes: invalid arguments, and ftruncate() failure. The former
shouldn't happen, and the latter can happen only for file-backed
tables, hence only in empdump -i.
Tables with a file name are: any game state, and any table that's
initialized from a .config file.
Tables that are no longer customizable: "updates" (customization had
no effect, because update_get_schedule() overwrote it), "table",
"meta" and the symbol tables (customization couldn't change them
anyway), and news-chr (customizing r_newsstory[] was kind of neat, but
unsafe because they are format strings for sprintf()).
"xdump updates" believes there are always 15 (UPDATE_TIME_LEN - 1)
scheduled updates. When fewer than 15 updates are scheduled, it shows
whatever crap update time happens to be in the unused part of
update_time[]: the initial zero or a previously scheduled update.
Root cause is that table EF_UPDATES has always UPDATE_TIME_LEN - 1
entries, which is incorrect when fewer updates are scheduled. Only
xdump is affected, as the other users ignore the length and stop at
the sentinel.
Fix update_get_schedule() to resize table EF_UPDATES.
Provide proper ca_table for carrier unit# selectors
Makes ef_verify() check carrier UIDs are sane. Partially protects
unit_cargo_init(), which oopses on bad carriers.
This has become possible only since commit 64a53c90 (v4.3.17) set
their values to -1 in newly created units. Before, they were zero in
units that had never been used, and a proper ca_table would have made
ef_verify() fail when unit#0 didn't exist.
The only unit# selectors left without a proper ca_table are ship's
follow, lost's id and trade's unitid. Document why.
Update examples in doc/xdump to current server's output
The NSC_CONST flags added in commit fa63f87b have always been missing
here. The previous commit changed xdump meta meta. Other than that,
it's just different encodings.
Refer to table names instead of C identifiers in .config
The C identifier permits looking up the table in the source. The
table name permits lookup with xdump.
Coders should know how to go from table name to C identifier. Deities
aren't all coders; we shouldn't ask them to guess table names from C
identifiers.
Don't ignore non-virtual NSC_EXTRA columns in ef_verify.c
These are commonly timestamps (no verification implemented), or
aliases for a non-extra column (which gets verified). Commit 49780e2c
(v4.3.12) added the exception: EF_SECTOR's uid. Proof by example that
ignoring these columns is wrong. Fix: ignore only virtual columns.
Simplify buil(): replace a switch by a function pointer
To enable that, make build_ship() & friends all take the same int type
argument instead of each one its own pointer. Passing pointers
triggered "may be used uninitialized" compiler warnings (the code was
safe despite the warnings).
Don't truncate research before multiplying with drnuke_const
For drnuke_const 0.33, research level 92.4 now suffices for a tech 280
nuke. Before, you needed 93, which was inconsistent with what
version's promise "need 0.33 times the tech level in research".
This was probably neglected when the techlists feature was added in
v4.0.0, because compiled-in nukes were sorted by tech, unlike ships,
planes and land units. Customization can break that.
Drop the bugs documented as fixed. File was last changed in Empire 2,
so these have been fixed for a while...
Remaining bugs:
The classification scheme used by report is dumb.
It still is.
You can make a sector temporarily useless by filling up all its
fields with delivery and distribution information. This is useful
when an enemy is trying to capture the sector (his mil don't have
room to move in :-) You have to halt some of the deliveries or
distributions to make room for the military to move in. (Mostly
fixed by changing the number of available fields)
Fixed since 4.2.14 eliminated `variables'. Delete.
Warehouses can't distribute all commodities simultaneously, due to
limited fields for this information. This becomes a problem if
you have a countrywide network of warehouses distributing to each
other. (Mostly fixed by changing the number of available fields)
Fixed since 4.2.14 eliminated `variables'. Delete.
You can sometimes move small quantities of certain items from
warehouses at no mobility cost, even into mountains (this is my
favorite bug, I'd hate to see it fixed :-)
Feature; delete.
Guerrillas don't seem to carry the plague.
They still don't.
You can sometimes trick someone into paying a huge price for
commodities by changing the price suddenly. Therefore one should
always check prices when buying commodities.
You can't increase prices anymore. Delete.
When two countries are attacking each other simultaneously, you
can sometimes move into a sector he is in the process of
attacking. If you get the timing right, he will take the sector
but you will get it back, along with all his military.
Can't reproduce; delete.
If a plane is out to trade, and gets shot down, it can still be
bought until the next update. If another country builds a new
plane that gets the number of the plane that was shot down, the
new plane will go on the trading market automatically. Then if
that plane is bought, the money goes to the country whose plane
was shot down, not the country that built the plane. I stole
numerous planes (including nuclear missiles :-) this way (by
deliberately putting low numbered planes up for trade, then having
them shot down).
Planes on a trading block can't get shot down, because they can't fly.
They can get destroyed on the ground, though. A new plane with the
same number still goes on the market automatically. Same for ships,
land units and nukes. check_trade() deletes a trade when the object's
owner changed. Reword the paragraph accordingly.
If a plane has negative mobility, then gets traded, mobility goes to 0.
Still correct.
Firing on sectors with land-locked sunken ships does strange
things.
Can't reproduce; delete.
If two countries are cooperating, its possible to raid an enemy
airport and steal the planes by putting them out to trade.
Still correct.
You can also strip enemy sectors of commodities using "sell", if
you have military control temporarily.
Requires mobility now. Delete.
One can make work go back to 100 everywhere in a country by moving
all civil- ians in low-work sectors onto a bridge, then collapsing
the bridge. Work then goes to 100 at the next update, if you
leave some mil in the vacated sectors. Or you can move mil out
too, letting the sector ownership change to the Deity, then move
back in from a 100% working sector, and work goes immediately to
100.
Feature; delete.
Two cooperative countries can move commodities around at no
mobility cost using the market.
Still correct.
You can collapse enemy bridges by making a lightning raid on his
bridgeheads and redesignating them, even if you only hold the
bridgehead for a short time. (In this games, bridges work
differently, see info build, info bridges")
Still correct. The parenthesis is cryptic, though; delete it.
You can map out enemy territory by raiding his radar stations.
Feature; delete.
Condition checking is very treacherous. Global commands with
conditions are unreliable. I never figured out exactly what was
wrong, although I think your method of putting conditions towards
the front of the line helped sometimes.
Can't reproduce; delete.
You can have more than 26 ships in a fleet, but only the first 26
will move when you navigate the fleet (I think 26 is the right
number, but I'm not cer- tain. It might be 32).
Can't reproduce; delete.
"Look" only spots subs (from destroyers) at a certain distance.
If you are too close you won't see them (unless you are in the
same sector).
Can't reproduce; delete.
You can only fly as many planes on a mission as you can fit on the
command line (so low numbered planes have an advantage this way).
USE WINGS
The real issue here is truncation of long input lines. Replace.
When a sector has a visible ship, radar doesn't show whether the
sector is land or sea, just the ship. This has interesting
possibilities for exploita- tion (like land-locking a battleship
in your capital in order to deceive the enemy :-)
Feature; delete.
I don't think you can land planes on a land-locked aircraft
carrier anymore.
Yes, you can. Is that good or bad? Anyway, delete.
Its common to mistakenly set the price of a plane or ship
incorrectly so one should check trade after using set.
Pilot error; delete.
The "must be accepted by" date on offered loans is bogus.
Why is it bogus? The date looks good to me. The offer expires at
that time. Delete.