From 285023acf65e36e3ca419a0ebea036323d082725 Mon Sep 17 00:00:00 2001 From: PatR Date: Mon, 3 Dec 2018 18:57:01 -0800 Subject: [PATCH] fix #H7659 - accessing freed memory by cutworm() hmon() can destroy the weapon being used, and known_hitum() would still pass the pointer to the freed object to cutworm(). Remember the relevant weapon attribute before using and maybe freeing the object, then pass that attribute instead of the whole weapon. Also pass 'more-likely-to-cut' for axes in addition to blades. thimonst() behaved similarly, although due to much different code paths none of the objects that might get to hmon() were then passed to cutworm(), so it wasn't vulnerable. But pass 'more-likely-to-cut' for axes instead of for blades when thrown. --- doc/fixes36.2 | 2 ++ include/extern.h | 4 ++-- src/dothrow.c | 14 +++++++++----- src/uhitm.c | 8 +++++--- src/worm.c | 16 +++++++--------- 5 files changed, 25 insertions(+), 19 deletions(-) diff --git a/doc/fixes36.2 b/doc/fixes36.2 index 53ba866ea..07d1fe756 100644 --- a/doc/fixes36.2 +++ b/doc/fixes36.2 @@ -236,6 +236,8 @@ to emphasize that it's not a light source, change description of wielded Sting from "(glowing)" to nothing (not warm enough to feel) when blind glowing Sting quivers if hero becomes blind and quivering Sting glows if blindness ends; it worked for timed blindness but not for blindfold +weapon (wielded pie, egg, potion, boomerang) might be destroyed when hitting a + long worm, then freed memory was accessed to decide whether to cut it Fixes to Post-3.6.1 Problems that Were Exposed Via git Repository diff --git a/include/extern.h b/include/extern.h index 16b10859b..4f1c8d6fa 100644 --- a/include/extern.h +++ b/include/extern.h @@ -1,4 +1,4 @@ -/* NetHack 3.6 extern.h $NHDT-Date: 1543745352 2018/12/02 10:09:12 $ $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.664 $ */ +/* NetHack 3.6 extern.h $NHDT-Date: 1543892214 2018/12/04 02:56:54 $ $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.665 $ */ /* Copyright (c) Steve Creps, 1988. */ /* NetHack may be freely redistributed. See license for details. */ @@ -2834,7 +2834,7 @@ E void FDECL(worm_move, (struct monst *)); E void FDECL(worm_nomove, (struct monst *)); E void FDECL(wormgone, (struct monst *)); E void FDECL(wormhitu, (struct monst *)); -E void FDECL(cutworm, (struct monst *, XCHAR_P, XCHAR_P, struct obj *)); +E void FDECL(cutworm, (struct monst *, XCHAR_P, XCHAR_P, BOOLEAN_P)); E void FDECL(see_wsegs, (struct monst *)); E void FDECL(detect_wsegs, (struct monst *, BOOLEAN_P)); E void FDECL(save_worm, (int, int)); diff --git a/src/dothrow.c b/src/dothrow.c index d40857447..e55c9b7d6 100644 --- a/src/dothrow.c +++ b/src/dothrow.c @@ -1,4 +1,4 @@ -/* NetHack 3.6 dothrow.c $NHDT-Date: 1525012611 2018/04/29 14:36:51 $ $NHDT-Branch: master $:$NHDT-Revision: 1.137 $ */ +/* NetHack 3.6 dothrow.c $NHDT-Date: 1543892215 2018/12/04 02:56:55 $ $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.152 $ */ /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */ /*-Copyright (c) Robert Patrick Rankin, 2013. */ /* NetHack may be freely redistributed. See license for details. */ @@ -1652,13 +1652,16 @@ register struct obj *obj; /* thrownobj or kickedobj or uwep */ } if (tmp >= dieroll) { - boolean wasthrown = (thrownobj != 0); + boolean wasthrown = (thrownobj != 0), + /* remember weapon attribute; hmon() might destroy obj */ + chopper = is_axe(obj); /* attack hits mon */ if (hmode == HMON_APPLIED) u.uconduct.weaphit++; if (hmon(mon, obj, hmode, dieroll)) { /* mon still alive */ - cutworm(mon, bhitpos.x, bhitpos.y, obj); + if (mon->wormno) + cutworm(mon, bhitpos.x, bhitpos.y, chopper); } exercise(A_DEX, TRUE); /* if hero was swallowed and projectile killed the engulfer, @@ -1668,8 +1671,9 @@ register struct obj *obj; /* thrownobj or kickedobj or uwep */ if (wasthrown && !thrownobj) return 1; - /* projectiles other than magic stones - sometimes disappear when thrown */ + /* projectiles other than magic stones sometimes disappear + when thrown; projectiles aren't among the types of weapon + that hmon() might have destroyed so obj is intact */ if (objects[otyp].oc_skill < P_NONE && objects[otyp].oc_skill > -P_BOOMERANG && !objects[otyp].oc_magic) { diff --git a/src/uhitm.c b/src/uhitm.c index a14218543..0412bb599 100644 --- a/src/uhitm.c +++ b/src/uhitm.c @@ -1,4 +1,4 @@ -/* NetHack 3.6 uhitm.c $NHDT-Date: 1542765366 2018/11/21 01:56:06 $ $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.185 $ */ +/* NetHack 3.6 uhitm.c $NHDT-Date: 1543892215 2018/12/04 02:56:55 $ $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.195 $ */ /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */ /*-Copyright (c) Robert Patrick Rankin, 2012. */ /* NetHack may be freely redistributed. See license for details. */ @@ -449,7 +449,9 @@ int rollneeded, armorpenalty; /* for monks */ struct attack *uattk; int dieroll; { - register boolean malive = TRUE; + boolean malive = TRUE, + /* hmon() might destroy weapon; remember aspect for cutworm */ + slice_or_chop = (weapon && (is_blade(weapon) || is_axe(weapon))); if (override_confirmation) { /* this may need to be generalized if weapons other than @@ -490,7 +492,7 @@ int dieroll; u.uconduct.weaphit = oldweaphit; } if (mon->wormno && *mhit) - cutworm(mon, x, y, weapon); + cutworm(mon, x, y, slice_or_chop); } } return malive; diff --git a/src/worm.c b/src/worm.c index 4e9d144b1..faf257710 100644 --- a/src/worm.c +++ b/src/worm.c @@ -1,4 +1,4 @@ -/* NetHack 3.6 worm.c $NHDT-Date: 1456528599 2016/02/26 23:16:39 $ $NHDT-Branch: NetHack-3.6.0 $:$NHDT-Revision: 1.20 $ */ +/* NetHack 3.6 worm.c $NHDT-Date: 1543892216 2018/12/04 02:56:56 $ $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.28 $ */ /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */ /*-Copyright (c) Robert Patrick Rankin, 2009. */ /* NetHack may be freely redistributed. See license for details. */ @@ -314,10 +314,10 @@ register struct monst *worm; * that both halves will survive. */ void -cutworm(worm, x, y, weap) +cutworm(worm, x, y, cuttier) struct monst *worm; xchar x, y; -struct obj *weap; +boolean cuttier; /* hit is by wielded blade or axe or by thrown axe */ { register struct wseg *curr, *new_tail; register struct monst *new_worm; @@ -330,12 +330,10 @@ struct obj *weap; if (x == worm->mx && y == worm->my) return; /* hit on head */ - /* cutting goes best with a bladed weapon */ - cut_chance = rnd(20); /* Normally 1-16 does not cut */ - /* Normally 17-20 does */ - - if (weap && is_blade(weap)) /* With a blade 1- 6 does not cut */ - cut_chance += 10; /* 7-20 does */ + /* cutting goes best with a cuttier weapon */ + cut_chance = rnd(20); /* Normally 1-16 does not cut, 17-20 does, */ + if (cuttier) + cut_chance += 10; /* with a blade 1- 6 does not cut, 7-20 does. */ if (cut_chance < 17) return; /* not good enough */ -- 2.40.0