fix #H267 - wielded object burning up panic/crash

     From a bug report:  having a lit
candle or potion of oil be wielded or "worn" as alternate weapon or quiver
at the time it finished burning up would leave a stale worn object pointer
which could trigger a panic or crash.  Need to call useup() instead of
obj_extract_self()+obfree() for objects in inventory, similar to the way
hatching eggs are handled.

diff --git a/doc/fixes34.4 b/doc/fixes34.4
index 47e8a23eb55640bddb98e76451f0dade2d00959a..432aa4fefe49f1f8dc5f0634a8ef90891176bfd8 100644 (file)
--- a/doc/fixes34.4
+++ b/doc/fixes34.4
@@ -337,6 +337,8 @@ when shopkeeper "gratefully inherits possessions" of hero who dies in shop
 dying in a shop while wielding two weapons could cause "Setworn: mask" warning
 make score file processing more bullet proof to avoid potential security issue
 towel equipped in weapon, alternate weapon, or quiver slot can be applied
+lit candle or potion of oil which burned out while equipped would leave stale
+       weapon/alternate-weapon/quiver pointer that could cause panic or crash
 
 
 Platform- and/or Interface-Specific Fixes

diff --git a/src/timeout.c b/src/timeout.c
index 56f03e5a6dfe50cdb8e7dac5481e519ebdea6127..a3898ce4b97678368f997e7479d31c711f832bbc 100644 (file)
--- a/src/timeout.c
+++ b/src/timeout.c
@@ -1,4 +1,4 @@
-/*     SCCS Id: @(#)timeout.c  3.5     2007/02/05      */
+/*     SCCS Id: @(#)timeout.c  3.5     2007/03/15      */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /* NetHack may be freely redistributed.  See license for details. */
 
@@ -803,7 +803,8 @@ long timeout;
                if (menorah) {
                    obj->spe = 0;       /* no more candles */
                } else if (Is_candle(obj) || obj->otyp == POT_OIL) {
-                   /* get rid of candles and burning oil potions */
+                   /* get rid of candles and burning oil potions;
+                      we know this object isn't carried by hero */
                    obj_extract_self(obj);
                    obfree(obj, (struct obj *)0);
                    obj = (struct obj *) 0;
@@ -844,8 +845,12 @@ long timeout;
                        }
                    }
                    end_burn(obj, FALSE);       /* turn off light source */
-                   obj_extract_self(obj);
-                   obfree(obj, (struct obj *)0);
+                   if (carried(obj)) {
+                       useupall(obj);
+                   } else {
+                       obj_extract_self(obj);
+                       obfree(obj, (struct obj *)0);
+                   }
                    obj = (struct obj *) 0;
                    break;
 
@@ -1016,8 +1021,12 @@ long timeout;
                        if (menorah) {
                            obj->spe = 0;
                        } else {
-                           obj_extract_self(obj);
-                           obfree(obj, (struct obj *)0);
+                           if (carried(obj)) {
+                               useupall(obj);
+                           } else {
+                               obj_extract_self(obj);
+                               obfree(obj, (struct obj *)0);
+                           }
                            obj = (struct obj *) 0;
                        }
                        break;