fix github issue #731 - accessing freed memory \

after charging causes a ring to explode

Reported by gebulmer:  if charging exploded a ring, the ring's memory
got freed but the stale pointer was passed to cap_spe() which accessed
it again.  Fix by setting the object pointer to Null after using up
the ring.  This was a post-3.6 bug.

Fixes #731

diff --git a/doc/fixes3-7-0.txt b/doc/fixes3-7-0.txt
index f543c78e6b7f757684b16027e12b7c798aa29aa7..a3ba2e1c8686f40011a4a88c12f00052e0fa98f6 100644 (file)
--- a/doc/fixes3-7-0.txt
+++ b/doc/fixes3-7-0.txt
@@ -1146,6 +1146,7 @@ add '#tip' for containers to context-sensitive invent handling
 sequencing confusion: picking an item when viewing inventory and picking an
        action to do with it caused the inventory command to use time, then
        on next turn the action was performed without taking any time
+program would access freed memory if charging caused a ring to explode
 
 curses: 'msg_window' option wasn't functional for curses unless the binary
        also included tty support

diff --git a/src/read.c b/src/read.c
index 90fda12b08c7710acccf023fac0b4e9a4652f680..b73c129cfc289a38dd8ded1a5f1e6f1fac81b4e8 100644 (file)
--- a/src/read.c
+++ b/src/read.c
@@ -786,7 +786,7 @@ recharge(struct obj* obj, int curse_bless)
             if (is_on)
                 Ring_gone(obj);
             s = rnd(3 * abs(obj->spe)); /* amount of damage */
-            useup(obj);
+            useup(obj), obj = 0;
             losehp(Maybe_Half_Phys(s), "exploding ring", KILLED_BY_AN);
         } else {
             long mask = is_on ? (obj == uleft ? LEFT_RING : RIGHT_RING) : 0L;