From: PatR Date: Wed, 13 Apr 2022 20:34:14 +0000 (-0700) Subject: fix github issue #731 - accessing freed memory \ X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9c2a5cbcb88fe7d1da5573ca29fcf71a4fe0f19b;p=nethack fix github issue #731 - accessing freed memory \ after charging causes a ring to explode Reported by gebulmer: if charging exploded a ring, the ring's memory got freed but the stale pointer was passed to cap_spe() which accessed it again. Fix by setting the object pointer to Null after using up the ring. This was a post-3.6 bug. Fixes #731 --- diff --git a/doc/fixes3-7-0.txt b/doc/fixes3-7-0.txt index f543c78e6..a3ba2e1c8 100644 --- a/doc/fixes3-7-0.txt +++ b/doc/fixes3-7-0.txt @@ -1146,6 +1146,7 @@ add '#tip' for containers to context-sensitive invent handling sequencing confusion: picking an item when viewing inventory and picking an action to do with it caused the inventory command to use time, then on next turn the action was performed without taking any time +program would access freed memory if charging caused a ring to explode curses: 'msg_window' option wasn't functional for curses unless the binary also included tty support diff --git a/src/read.c b/src/read.c index 90fda12b0..b73c129cf 100644 --- a/src/read.c +++ b/src/read.c @@ -786,7 +786,7 @@ recharge(struct obj* obj, int curse_bless) if (is_on) Ring_gone(obj); s = rnd(3 * abs(obj->spe)); /* amount of damage */ - useup(obj); + useup(obj), obj = 0; losehp(Maybe_Half_Phys(s), "exploding ring", KILLED_BY_AN); } else { long mask = is_on ? (obj == uleft ? LEFT_RING : RIGHT_RING) : 0L;