take_gold() crash with GOLDOBJ

Possible fix for B10001.
When the code went into case 3 in cursed_book(),
the game hung in an endless loop in take_gold().
The call stack was:
    take_gold() line 22 + 10 bytes
    cursed_book(int 2) line 124
    study_book(obj * 0x00968860) line 421 + 19 bytes
    doread() line 130 + 9 bytes
    rhack(char * 0x005b8eac in_line) line 1813 + 3 bytes
    moveloop() line 405 + 7 bytes
    main(int 3, char * * 0x00962ac0) line 93

diff --git a/doc/fixes34.1 b/doc/fixes34.1
index be66c0440d6926dc1e9710d37641620ae069d24a..d48623fa26a53870fb13cef4753c4e8642dd5768 100644 (file)
--- a/doc/fixes34.1
+++ b/doc/fixes34.1
@@ -224,6 +224,8 @@ make sure that missing file trickery in wizard mode which is discovered during
        level change doesn't try to keep going after discarding current level
 contribution by Adam Wozniak adds several const & changes some char* to char[]
 fix impossible when hitting/jousting a monster causes it to be killed twice
+fix a GOLDOBJ crash/hang in take_gold() that could be triggered by reading a
+       cursed spellbook, or by sitting on a throne
 
 
 Platform- and/or Interface-Specific Fixes

diff --git a/src/sit.c b/src/sit.c
index 75b8ad5d9abc6a51cca9b7328ed544a9ee8e21ab..7b6550f673e0c8b6363d06d0e2afb04f5ed81c1f 100644 (file)
--- a/src/sit.c
+++ b/src/sit.c
@@ -17,9 +17,10 @@ take_gold()
                flags.botl = 1;
        }
 #else
-        struct obj *otmp;
+        struct obj *otmp, *nobj;
        int lost_money = 0;
-       for (otmp = invent; otmp; otmp = otmp->nobj) {
+       for (otmp = invent; otmp; otmp = nobj) {
+               nobj = otmp->nobj;
                if (otmp->oclass == COIN_CLASS) {
                        lost_money = 1;
                        delobj(otmp);