From: Michael Meyer Date: Mon, 28 Nov 2022 22:16:21 +0000 (-0500) Subject: Fix: potential use-after-free in expels() X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5cf6042ca49787b453e303a98b8533ffbd2ed33b;p=nethack Fix: potential use-after-free in expels() An engulfing monster can expel you onto a level teleporter or other level-changing trap, in which case it may (under highly specific circumstances[1]) no longer have been in memory by the time mtmp->mx/my were accessed to see whether the "Brrooaa" message should be printed. It also doesn't make much sense to print that message by the time you've already fallen through a portal, trapdoor, etc, onto another level, so I think moving it before the spoteffects() call kills two birds with one stone. [1] The highly specific circumstances: you must die due to illness or some other timeout (or generally die on your own turn rather than the monsters' turn, since this ensures the level change isn't deferred until the end of the turn), while engulfed above a level teleporter [or maybe another similar trap -- I tested with a level teleporter], and be lifesaved, while positioned such that the engulfer can't follow you through the levelport after expulsion (e.g. surrounded by other monsters). It may happen under some other conditions too, but even if so it's pretty rare and was tough to reproduce. --- diff --git a/src/mhitu.c b/src/mhitu.c index 385668121..9ed14381e 100644 --- a/src/mhitu.c +++ b/src/mhitu.c @@ -270,10 +270,10 @@ expels( unstuck(mtmp); /* ball&chain returned in unstuck() */ mnexto(mtmp, RLOC_NOMSG); newsym(u.ux, u.uy); - spoteffects(TRUE); /* to cover for a case where mtmp is not in a next square */ if (um_dist(mtmp->mx, mtmp->my, 1)) pline("Brrooaa... You land hard at some distance."); + spoteffects(TRUE); } /* select a monster's next attack, possibly substituting for its usual one */