From 9784b5adef6b81782624e99df7e537a2ca8951eb Mon Sep 17 00:00:00 2001 From: Pasi Kallinen Date: Sat, 18 Apr 2020 22:13:49 +0300 Subject: [PATCH] Fix heap use after free In a lua script, if object was created inside a container, it might've merged with another object. Also prevent stacking, lighting, and burying contained objects. --- src/sp_lev.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/src/sp_lev.c b/src/sp_lev.c index 2847f3497..a99dc540d 100755 --- a/src/sp_lev.c +++ b/src/sp_lev.c @@ -2239,7 +2239,7 @@ struct mkroom *croom; remove_object(otmp); if (cobj) { - (void) add_to_container(cobj, otmp); + otmp = add_to_container(cobj, otmp); cobj->owt = weight(cobj); } else { obj_extract_self(otmp); @@ -2324,18 +2324,19 @@ struct mkroom *croom; } } - stackobj(otmp); + if (!(o->containment & SP_OBJ_CONTENT)) { + stackobj(otmp); - if (o->lit) { - begin_burn(otmp, FALSE); - } + if (o->lit) + begin_burn(otmp, FALSE); - if (o->buried) { - boolean dealloced; + if (o->buried) { + boolean dealloced; - (void) bury_an_obj(otmp, &dealloced); - if (dealloced && container_idx) { - container_obj[container_idx - 1] = NULL; + (void) bury_an_obj(otmp, &dealloced); + if (dealloced && container_idx) { + container_obj[container_idx - 1] = NULL; + } } } } -- 2.50.1