I found a reproducible crash in TColorDialog when using multiple TColorGroups with different numbers of TColorItems.
Reproduction
Open a TColorDialog with at least two groups:
Group A with more items (e.g. 11)
Group B with fewer items (e.g. 7)
In Group A, select a high item index (e.g. last item).
Switch to Group B.
Re-open color dialogs / switch groups repeatedly.
Observed behavior
Occasional segmentation fault (invalid list index path while restoring saved per-group index).
Expected behavior
Switching groups should be safe regardless of differing item counts.
Root cause
TColorGroupList::setGroupIndex stores/restores item indices per group, but does not clamp itemNum to the current group’s actual item count.
When a previously saved index is larger than the destination group’s item list, later focus/navigation can access invalid positions.
Proposed fix
Clamp the incoming index in TColorGroupList::setGroupIndex:
compute item count of the target group
if empty: force index 0
if itemNum >= itemCount: use itemCount - 1
Patch location
tvision/source/tvision/colorsel.cpp
Function: TColorGroupList::setGroupIndex
Scope
Minimal, localized change
No API changes
Backward compatible
Manual verification
Opened color dialogs with groups of different sizes
Switched repeatedly between groups
No crashes after clamping
If you want, I can also provide a very short “minimal repro program” snippet for the issue.
I found a reproducible crash in TColorDialog when using multiple TColorGroups with different numbers of TColorItems.
Reproduction
Open a TColorDialog with at least two groups:
Group A with more items (e.g. 11)
Group B with fewer items (e.g. 7)
In Group A, select a high item index (e.g. last item).
Switch to Group B.
Re-open color dialogs / switch groups repeatedly.
Observed behavior
Occasional segmentation fault (invalid list index path while restoring saved per-group index).
Expected behavior
Switching groups should be safe regardless of differing item counts.
Root cause
TColorGroupList::setGroupIndex stores/restores item indices per group, but does not clamp itemNum to the current group’s actual item count.
When a previously saved index is larger than the destination group’s item list, later focus/navigation can access invalid positions.
Proposed fix
Clamp the incoming index in TColorGroupList::setGroupIndex:
compute item count of the target group
if empty: force index 0
if itemNum >= itemCount: use itemCount - 1
Patch location
tvision/source/tvision/colorsel.cpp
Function: TColorGroupList::setGroupIndex
Scope
Minimal, localized change
No API changes
Backward compatible
Manual verification
Opened color dialogs with groups of different sizes
Switched repeatedly between groups
No crashes after clamping
If you want, I can also provide a very short “minimal repro program” snippet for the issue.