From 8d53fffb68d8c04efa6470a4907eef3be567bd36 Mon Sep 17 00:00:00 2001
From: Andrew Borodin <aborodin@vmail.ru>
Date: Tue, 7 Jan 2025 09:46:28 +0300
Subject: [PATCH] Ticket #4627: fix segfault in the help engine

...when going to the previous topic.

Inside help_interactive_display(), the for loop that initializes history
leaves history_ptr at -1.

In help_back(), this value causes an out-of-bounds access to the history
array, thus placing random noise in currentpoint and selected_item, the
former used subsequently by help_bg_callback() and passed to
help_show().

  * (history_ptr): initialize to 0.
  * (help_interactive_display): use separate variable for loop that
  initializes history.

Thanks Egmont Koblinger for the finding out the cause of segfault.

Signed-off-by: Andrew Borodin <aborodin@vmail.ru>
---
 src/help.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/help.c b/src/help.c
index 6f24205558..8c4377b94b 100644
--- a/src/help.c
+++ b/src/help.c
@@ -96,7 +96,7 @@ typedef struct Link_Area
 
 static char *fdata = NULL;      /* Pointer to the loaded data file */
 static int help_lines;          /* Lines in help viewer */
-static int history_ptr;         /* For the history queue */
+static int history_ptr = 0;     /* For the history queue */
 static const char *main_node;   /* The main node */
 static const char *last_shown = NULL;   /* Last byte shown in a screen */
 static gboolean end_of_node = FALSE;    /* Flag: the last character of the node shown? */
@@ -1091,6 +1091,7 @@ help_interactive_display (const gchar *event_group_name, const gchar *event_name
     char *filedata;
     ev_help_t *event_data = (ev_help_t *) data;
     WRect r = { 1, 1, 1, 1 };
+    int i;
 
     (void) event_group_name;
     (void) event_name;
@@ -1150,10 +1151,10 @@ help_interactive_display (const gchar *event_group_name, const gchar *event_name
     selected_item = search_string_node (main_node, STRING_LINK_START) - 1;
     currentpoint = main_node + 1;       /* Skip the newline following the start of the node */
 
-    for (history_ptr = HISTORY_SIZE - 1; history_ptr >= 0; history_ptr--)
+    for (i = HISTORY_SIZE - 1; i >= 0; i--)
     {
-        history[history_ptr].page = currentpoint;
-        history[history_ptr].link = selected_item;
+        history[i].page = currentpoint;
+        history[i].link = selected_item;
     }
 
     help_bar = buttonbar_new ();