Fix memory stomp due to inconsistent inventory layout and missing error check

jwkeating · jwkeating · commit a705e7cfa3fe · 2026-03-30T00:14:20.000-07:00
diff --git a/Source/inv.cpp b/Source/inv.cpp
@@ -67,10 +67,10 @@ bool invflag;
  *
  *                 01                   02
  *
- *              07 08 09 10 11 12 13 14 15 16
- *              17 18 19 20 21 22 23 24 25 26
- *              27 28 29 30 31 32 33 34 35 36
  *              37 38 39 40 41 42 43 44 45 46
+ *              27 28 29 30 31 32 33 34 35 36
+ *              17 18 19 20 21 22 23 24 25 26
+ *              07 08 09 10 11 12 13 14 15 16
  *
  * 47 48 49 50 51 52 53 54
  * @endcode
@@ -85,36 +85,6 @@ const Rectangle InvRect[] = {
 	{ {  17,  75 }, { 58, 86 } }, // left hand
 	{ { 248,  75 }, { 58, 87 } }, // right hand
 	{ { 132,  75 }, { 58, 87 } }, // chest
-	{ {  17, 222 }, { 29, 29 } }, // inv row 1
-	{ {  46, 222 }, { 29, 29 } }, // inv row 1
-	{ {  75, 222 }, { 29, 29 } }, // inv row 1
-	{ { 104, 222 }, { 29, 29 } }, // inv row 1
-	{ { 133, 222 }, { 29, 29 } }, // inv row 1
-	{ { 162, 222 }, { 29, 29 } }, // inv row 1
-	{ { 191, 222 }, { 29, 29 } }, // inv row 1
-	{ { 220, 222 }, { 29, 29 } }, // inv row 1
-	{ { 249, 222 }, { 29, 29 } }, // inv row 1
-	{ { 278, 222 }, { 29, 29 } }, // inv row 1
-	{ {  17, 251 }, { 29, 29 } }, // inv row 2
-	{ {  46, 251 }, { 29, 29 } }, // inv row 2
-	{ {  75, 251 }, { 29, 29 } }, // inv row 2
-	{ { 104, 251 }, { 29, 29 } }, // inv row 2
-	{ { 133, 251 }, { 29, 29 } }, // inv row 2
-	{ { 162, 251 }, { 29, 29 } }, // inv row 2
-	{ { 191, 251 }, { 29, 29 } }, // inv row 2
-	{ { 220, 251 }, { 29, 29 } }, // inv row 2
-	{ { 249, 251 }, { 29, 29 } }, // inv row 2
-	{ { 278, 251 }, { 29, 29 } }, // inv row 2
-	{ {  17, 280 }, { 29, 29 } }, // inv row 3
-	{ {  46, 280 }, { 29, 29 } }, // inv row 3
-	{ {  75, 280 }, { 29, 29 } }, // inv row 3
-	{ { 104, 280 }, { 29, 29 } }, // inv row 3
-	{ { 133, 280 }, { 29, 29 } }, // inv row 3
-	{ { 162, 280 }, { 29, 29 } }, // inv row 3
-	{ { 191, 280 }, { 29, 29 } }, // inv row 3
-	{ { 220, 280 }, { 29, 29 } }, // inv row 3
-	{ { 249, 280 }, { 29, 29 } }, // inv row 3
-	{ { 278, 280 }, { 29, 29 } }, // inv row 3
 	{ {  17, 309 }, { 29, 29 } }, // inv row 4
 	{ {  46, 309 }, { 29, 29 } }, // inv row 4
 	{ {  75, 309 }, { 29, 29 } }, // inv row 4
@@ -125,6 +95,36 @@ const Rectangle InvRect[] = {
 	{ { 220, 309 }, { 29, 29 } }, // inv row 4
 	{ { 249, 309 }, { 29, 29 } }, // inv row 4
 	{ { 278, 309 }, { 29, 29 } }, // inv row 4
+	{ {  17, 280 }, { 29, 29 } }, // inv row 3
+	{ {  46, 280 }, { 29, 29 } }, // inv row 3
+	{ {  75, 280 }, { 29, 29 } }, // inv row 3
+	{ { 104, 280 }, { 29, 29 } }, // inv row 3
+	{ { 133, 280 }, { 29, 29 } }, // inv row 3
+	{ { 162, 280 }, { 29, 29 } }, // inv row 3
+	{ { 191, 280 }, { 29, 29 } }, // inv row 3
+	{ { 220, 280 }, { 29, 29 } }, // inv row 3
+	{ { 249, 280 }, { 29, 29 } }, // inv row 3
+	{ { 278, 280 }, { 29, 29 } }, // inv row 3
+	{ {  17, 251 }, { 29, 29 } }, // inv row 2
+	{ {  46, 251 }, { 29, 29 } }, // inv row 2
+	{ {  75, 251 }, { 29, 29 } }, // inv row 2
+	{ { 104, 251 }, { 29, 29 } }, // inv row 2
+	{ { 133, 251 }, { 29, 29 } }, // inv row 2
+	{ { 162, 251 }, { 29, 29 } }, // inv row 2
+	{ { 191, 251 }, { 29, 29 } }, // inv row 2
+	{ { 220, 251 }, { 29, 29 } }, // inv row 2
+	{ { 249, 251 }, { 29, 29 } }, // inv row 2
+	{ { 278, 251 }, { 29, 29 } }, // inv row 2
+	{ {  17, 222 }, { 29, 29 } }, // inv row 1
+	{ {  46, 222 }, { 29, 29 } }, // inv row 1
+	{ {  75, 222 }, { 29, 29 } }, // inv row 1
+	{ { 104, 222 }, { 29, 29 } }, // inv row 1
+	{ { 133, 222 }, { 29, 29 } }, // inv row 1
+	{ { 162, 222 }, { 29, 29 } }, // inv row 1
+	{ { 191, 222 }, { 29, 29 } }, // inv row 1
+	{ { 220, 222 }, { 29, 29 } }, // inv row 1
+	{ { 249, 222 }, { 29, 29 } }, // inv row 1
+	{ { 278, 222 }, { 29, 29 } }, // inv row 1
 	{ { 205,   5 }, { 29, 29 } }, // belt
 	{ { 234,   5 }, { 29, 29 } }, // belt
 	{ { 263,   5 }, { 29, 29 } }, // belt
@@ -143,7 +143,7 @@ OptionalOwnedClxSpriteList pInvCels;
 /**
  * @brief Adds an item to a player's InvGrid array
  * @param player The player reference
- * @param invGridIndex Item's position in InvGrid (this should be the item's topleft grid tile)
+ * @param invGridIndex Item's position in InvGrid (this should be the item's bottom left grid tile)
  * @param invListIndex The item's InvList index (it's expected this already has +1 added to it since InvGrid can't store a 0 index)
  * @param itemSize Size of item
  */
@@ -153,10 +153,10 @@ void AddItemToInvGrid(Player &player, int invGridIndex, int invListIndex, Size i
 	for (int y = 0; y < itemSize.height; y++) {
 		const int rowGridIndex = invGridIndex + pitch * y;
 		for (int x = 0; x < itemSize.width; x++) {
-			if (x == 0 && y == itemSize.height - 1)
+			if (x == 0 && y == 0)
 				player.InvGrid[rowGridIndex + x] = invListIndex;
 			else
-				player.InvGrid[rowGridIndex + x] = -invListIndex; // use negative index to denote it's occupied but it's not the top-left cell.
+				player.InvGrid[rowGridIndex + x] = -invListIndex; // use negative index to denote it's occupied but it's not the bottom-left cell.
 		}
 	}
 
@@ -307,23 +307,23 @@ int FindTargetSlotUnderItemCursor(Point cursorPosition, Size itemSize)
 	}
 	for (int r = SLOTXY_INV_FIRST; r <= SLOTXY_INV_LAST; r++) {
 		if (InvRect[r].contains(cursorPosition + panelOffset)) {
-			// When trying to paste into the inventory we need to determine the top left cell of the nearest area that could fit the item, not the slot under the center/hot pixel.
+			// When trying to paste into the inventory we need to determine the bottom left cell of the nearest area that could fit the item, not the slot under the center/hot pixel.
 			if (itemSize.height <= 1 && itemSize.width <= 1) {
-				// top left cell of a 1x1 item is the same cell as the hot pixel, no work to do
+				// bottom left cell of a 1x1 item is the same cell as the hot pixel, no work to do
 				return r;
 			}
-			// Otherwise work out how far the central cell is from the top-left cell
+			// Otherwise work out how far the central cell is from the bottom left cell
 			Displacement hotPixelCellOffset = { (itemSize.width - 1) / 2, (itemSize.height - 1) / 2 };
 			// For even dimension items we need to work out if the cursor is in the left/right (or top/bottom) half of the central cell and adjust the offset so the item lands in the area most covered by the cursor.
 			if (itemSize.width % 2 == 0 && InvRect[r].contains(cursorPosition + panelOffset + Displacement { INV_SLOT_HALF_SIZE_PX, 0 })) {
 				// hot pixel was in the left half of the cell, so we want to increase the offset to preference the column to the left
 				hotPixelCellOffset.deltaX++;
 			}
-			if (itemSize.height % 2 == 0 && InvRect[r].contains(cursorPosition + panelOffset + Displacement { 0, INV_SLOT_HALF_SIZE_PX })) {
-				// hot pixel was in the top half of the cell, so we want to increase the offset to preference the row above
+			if (itemSize.height % 2 == 0 && !InvRect[r].contains(cursorPosition + panelOffset + Displacement { 0, INV_SLOT_HALF_SIZE_PX })) {
+				// hot pixel was in the bottom half of the cell, so we want to decrease the offset to preference the row below
 				hotPixelCellOffset.deltaY++;
 			}
-			// Then work out the top left cell of the nearest area that could fit this item (as pasting on the edge of the inventory would otherwise put it out of bounds)
+			// Then work out the bottom left cell of the nearest area that could fit this item (as pasting on the edge of the inventory would otherwise put it out of bounds)
 			const int hotPixelCell = r - SLOTXY_INV_FIRST;
 			const int targetRow = std::clamp((hotPixelCell / InventorySizeInSlots.width) - hotPixelCellOffset.deltaY, 0, InventorySizeInSlots.height - itemSize.height);
 			const int targetColumn = std::clamp((hotPixelCell % InventorySizeInSlots.width) - hotPixelCellOffset.deltaX, 0, InventorySizeInSlots.width - itemSize.width);
@@ -687,12 +687,12 @@ bool CheckItemFitsInInventorySlot(const Player &player, int slotIndex, const Siz
 std::optional<int> FindSlotForItem(const Player &player, const Size &itemSize, int itemIndexToIgnore = -1)
 {
 	if (itemSize.height == 1) {
-		for (int i = 30; i <= 39; i++) {
+		for (int i = 0; i <= 9; i++) {
 			if (CheckItemFitsInInventorySlot(player, i, itemSize, itemIndexToIgnore))
 				return i;
 		}
 		for (int x = 9; x >= 0; x--) {
-			for (int y = 2; y >= 0; y--) {
+			for (int y = 1; y <= 3; y++) {
 				if (CheckItemFitsInInventorySlot(player, 10 * y + x, itemSize, itemIndexToIgnore))
 					return 10 * y + x;
 			}
@@ -702,7 +702,7 @@ std::optional<int> FindSlotForItem(const Player &player, const Size &itemSize, i
 
 	if (itemSize.height == 2) {
 		for (int x = 10 - itemSize.width; x >= 0; x--) {
-			for (int y = 0; y < 3; y++) {
+			for (int y = 2; y >= 0; y--) {
 				if (CheckItemFitsInInventorySlot(player, 10 * y + x, itemSize, itemIndexToIgnore))
 					return 10 * y + x;
 			}
@@ -711,20 +711,24 @@ std::optional<int> FindSlotForItem(const Player &player, const Size &itemSize, i
 	}
 
 	if (itemSize == Size { 1, 3 }) {
-		for (int i = 0; i < 20; i++) {
+		for (int i = 10; i < 20; i++) {
+			if (CheckItemFitsInInventorySlot(player, i, itemSize, itemIndexToIgnore))
+				return i;
+		}
+		for (int i = 0; i < 10; i++) {
 			if (CheckItemFitsInInventorySlot(player, i, itemSize, itemIndexToIgnore))
 				return i;
 		}
 		return {};
 	}
 
 	if (itemSize == Size { 2, 3 }) {
-		for (int i = 0; i < 9; i++) {
+		for (int i = 10; i < 19; i++) {
 			if (CheckItemFitsInInventorySlot(player, i, itemSize, itemIndexToIgnore))
 				return i;
 		}
 
-		for (int i = 10; i < 19; i++) {
+		for (int i = 0; i < 9; i++) {
 			if (CheckItemFitsInInventorySlot(player, i, itemSize, itemIndexToIgnore))
 				return i;
 		}
@@ -1520,14 +1524,14 @@ int AddGoldToInventory(Player &player, int value)
 		SetPlrHandGoldCurs(goldItem);
 	}
 
-	// Last row right to left
-	for (int i = 39; i >= 30 && value > 0; i--) {
+	// Bottom row right to left
+	for (int i = 9; i >= 0 && value > 0; i--) {
 		value = CreateGoldItemInInventorySlot(player, i, value);
 	}
 
 	// Remaining inventory in columns, bottom to top, right to left
 	for (int x = 9; x >= 0 && value > 0; x--) {
-		for (int y = 2; y >= 0 && value > 0; y--) {
+		for (int y = 1; y <= 3 && value > 0; y++) {
 			value = CreateGoldItemInInventorySlot(player, 10 * y + x, value);
 		}
 	}
@@ -1565,29 +1569,39 @@ void inv_update_rem_item(Player &player, inv_body_loc iv)
 	CalcPlrInv(player, player._pmode != PM_DEATH);
 }
 
-void CheckInvSwap(Player &player, const Item &item, int invGridIndex)
+bool CheckInvSwap(Player &player, const Item &item, int invGridIndex)
 {
 	Size itemSize = GetInventorySize(item);
 
 	const int pitch = 10;
-	const int invListIndex = [&]() -> int {
-		for (int y = 0; y < itemSize.height; y++) {
-			const int rowGridIndex = invGridIndex + pitch * y;
-			for (int x = 0; x < itemSize.width; x++) {
-				const int gridIndex = rowGridIndex + x;
-				if (player.InvGrid[gridIndex] != 0)
-					return std::abs(player.InvGrid[gridIndex]);
+	if (invGridIndex + itemSize.width - 1 + pitch * (itemSize.height - 1) >= InventoryGridCells)
+		return false;
+
+	int invListIndex = 0;
+	for (int y = 0; y < itemSize.height; y++) {
+		int rowGridIndex = invGridIndex + pitch * y;
+		for (int x = 0; x < itemSize.width; x++) {
+			int gridIndex = rowGridIndex + x;
+			if (player.InvGrid[gridIndex] != 0) {
+				int existingItem = std::abs(player.InvGrid[gridIndex]);
+				if (!invListIndex) {
+					invListIndex = existingItem;
+				} else if (invListIndex != existingItem) {
+					// More than one item exists where we want to place the new item
+					return false;
+				}
 			}
 		}
-		player._pNumInv++;
-		return player._pNumInv;
-	}();
+	}
 
-	if (invListIndex < player._pNumInv) {
-		for (int8_t &itemIndex : player.InvGrid) {
-			if (itemIndex == invListIndex)
-				itemIndex = 0;
-			if (itemIndex == -invListIndex)
+	if (!invListIndex) {
+		// The inventory is empty where we want to place the new item.  Allocate a new spot.
+		player._pNumInv++;
+		invListIndex = player._pNumInv;
+	} else {
+		// Remove the old location of the existing item
+		for (int8_t& itemIndex : player.InvGrid) {
+			if (std::abs(itemIndex) == invListIndex)
 				itemIndex = 0;
 		}
 	}
@@ -1597,14 +1611,15 @@ void CheckInvSwap(Player &player, const Item &item, int invGridIndex)
 	for (int y = 0; y < itemSize.height; y++) {
 		const int rowGridIndex = invGridIndex + pitch * y;
 		for (int x = 0; x < itemSize.width; x++) {
-			if (x == 0 && y == itemSize.height - 1)
+			if (x == 0 && y == 0)
 				player.InvGrid[rowGridIndex + x] = invListIndex;
 			else
 				player.InvGrid[rowGridIndex + x] = -invListIndex;
 		}
 	}
 
 	CalcPlrInv(player, true);
+	return true;
 }
 
 void CheckInvRemove(Player &player, int invGridIndex)
diff --git a/Source/inv.h b/Source/inv.h
@@ -188,7 +188,7 @@ int AddGoldToInventory(Player &player, int value);
 bool GoldAutoPlace(Player &player, Item &goldStack);
 void CheckInvSwap(Player &player, inv_body_loc bLoc);
 void inv_update_rem_item(Player &player, inv_body_loc iv);
-void CheckInvSwap(Player &player, const Item &item, int invGridIndex);
+bool CheckInvSwap(Player &player, const Item &item, int invGridIndex);
 void CheckInvRemove(Player &player, int invGridIndex);
 void TransferItemToStash(Player &player, int location);
 void CheckInvItem(bool isShiftHeld = false, bool isCtrlHeld = false);
diff --git a/Source/items.cpp b/Source/items.cpp
@@ -3037,7 +3037,7 @@ void CreatePlrItems(Player &player)
 		MakeGoldStack(goldItem, loadout.gold);
 
 		player._pNumInv++;
-		player.InvGrid[30] = player._pNumInv;
+		player.InvGrid[0] = player._pNumInv;
 
 		player._pGold = goldItem._ivalue;
 	}
diff --git a/Source/msg.cpp b/Source/msg.cpp
@@ -2172,7 +2172,10 @@ size_t OnChangeInventoryItems(const TCmdChItem &message, Player &player)
 	} else if (&player != MyPlayer && IsItemAvailable(static_cast<_item_indexes>(Swap16LE(message.def.wIndx)))) {
 		Item item {};
 		RecreateItem(player, message, item);
-		CheckInvSwap(player, item, message.bLoc);
+		if (!CheckInvSwap(player, item, message.bLoc)) {
+			// item is larger than 1x1, and it occupies invalid inventory slots
+			return sizeof(message);
+		}
 	}
 
 	return sizeof(message);
diff --git a/Source/player.h b/Source/player.h
@@ -220,7 +220,7 @@ struct Player {
 
 	int lightId;
 
-	int _pNumInv;
+	int _pNumInv; // Number of items in InvList[]
 	int _pStrength;
 	int _pBaseStr;
 	int _pMagic;
@@ -294,6 +294,12 @@ struct Player {
 	int8_t _pHFrames;
 	int8_t _pDFrames;
 	int8_t _pBFrames;
+
+	// Player inventory grid is indexed as InvGrid[x + 10*y] where x in [0,9], y in [0,3].
+	// [0] is bottom left, [9] is bottom right, [30] is upper left, [39] is upper right.
+	// InvGrid[p] == 0 means no item in grid cell p.  InvGrid[p] != 0 means InvList[abs(InvGrid[p]) - 1] is the item at grid cell p.
+	// Items that take 1x1 grid cells use positive index InvGrid[p] > 0.  For larger items like a staff which takes 2x3 grid cells,
+	// InvGrid[p] > 0 is used for the bottom left grid cell of the item, and InvGrid[p] < 0 is used for the other grid cells of the item.
 	int8_t InvGrid[InventoryGridCells];
 
 	uint8_t plrlevel;

Original file line number	Diff line number	Diff line change
`@@ -3037,7 +3037,7 @@ void CreatePlrItems(Player &player)`
`3037`	`3037`	`MakeGoldStack(goldItem, loadout.gold);`
`3038`	`3038`
`3039`	`3039`	`player._pNumInv++;`
`3040`		`- player.InvGrid[30] = player._pNumInv;`
	`3040`	`+ player.InvGrid[0] = player._pNumInv;`
`3041`	`3041`
`3042`	`3042`	`player._pGold = goldItem._ivalue;`
`3043`	`3043`	`}`