Fix heap use after free

In a lua script, if object was created inside a container, it
might've merged with another object.

Also prevent stacking, lighting, and burying contained objects.

diff --git a/src/sp_lev.c b/src/sp_lev.c
index 2847f3497b70d5b16e73d4157bec336c6db38a63..a99dc540dc2f47fd0388b7e7a520434f9e574123 100755 (executable)
--- a/src/sp_lev.c
+++ b/src/sp_lev.c
@@ -2239,7 +2239,7 @@ struct mkroom *croom;
 
             remove_object(otmp);
             if (cobj) {
-                (void) add_to_container(cobj, otmp);
+                otmp = add_to_container(cobj, otmp);
                 cobj->owt = weight(cobj);
             } else {
                 obj_extract_self(otmp);
@@ -2324,18 +2324,19 @@ struct mkroom *croom;
         }
     }
 
-    stackobj(otmp);
+    if (!(o->containment & SP_OBJ_CONTENT)) {
+        stackobj(otmp);
 
-    if (o->lit) {
-        begin_burn(otmp, FALSE);
-    }
+        if (o->lit)
+            begin_burn(otmp, FALSE);
 
-    if (o->buried) {
-        boolean dealloced;
+        if (o->buried) {
+            boolean dealloced;
 
-        (void) bury_an_obj(otmp, &dealloced);
-        if (dealloced && container_idx) {
-            container_obj[container_idx - 1] = NULL;
+            (void) bury_an_obj(otmp, &dealloced);
+            if (dealloced && container_idx) {
+                container_obj[container_idx - 1] = NULL;
+            }
         }
     }
 }