Saving a bones file should not free memory; the function really_done will be using that information after the call to savebones, resulting in a heap-use-after-free error (and possibly later in a double-free in nh_terminate if things get that far).

2023-12-14 20:01:26 +02:00
parent 77d7c449e0
commit 22d26b7653
1 changed files with 1 additions and 1 deletions
--- a/src/bones.c
+++ b/src/bones.c
@@ -576,7 +576,7 @@ savebones(int how, time_t when, struct obj *corpse)
    }
    c = (char) (strlen(bonesid) + 1);

-    nhfp->mode = WRITING | FREEING;
+    nhfp->mode = WRITING;
    store_version(nhfp);
    store_savefileinfo(nhfp);
    if (nhfp->structlevel) {