From 48e76437391b202145b24e2d07dbd6cb3cdadccb Mon Sep 17 00:00:00 2001
From: PatR <rankin@nethack.org>
Date: Thu, 31 Jan 2019 04:22:04 -0800
Subject: [PATCH] fix monstone() ... dealloc_obj() panic

Fuzzer feebdack.  When turning a monster into a statue, monstone()
builds a linked list of mon->minvent items to put into that statue.
It doesn't use obj_extract_self() to take them off again, leaving
obj->nobj non-Null.  Not noticed for the normal case where each item
gets linked into the container's contents, but triggers panic if an
item merges with something already put inside so gets removed.

Suddenly, the dungeon collapses.
dealloc_obj with nobj
[2] 0x01000c4193 panic + 995
[3] 0x0100155427 dealloc_obj + 71
[4] 0x010021d4de obfree + 686
[5] 0x01000f2f92 merged + 834
[6] 0x010015356e add_to_container + 126
[7] 0x01001628ac monstone + 636

I don't know why the petrified monster's mergeable inventory wasn't
already merged while in inventory.
---
 doc/fixes36.2 | 4 +++-
 src/mon.c     | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/doc/fixes36.2 b/doc/fixes36.2
index 945ac8f57..c5c37abea 100644
--- a/doc/fixes36.2
+++ b/doc/fixes36.2
@@ -1,4 +1,4 @@
-$NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.239 $ $NHDT-Date: 1548695445 2019/01/28 17:10:45 $
+$NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.241 $ $NHDT-Date: 1548937318 2019/01/31 12:21:58 $
 
 This fixes36.2 file is here to capture information about updates in the 3.6.x
 lineage following the release of 3.6.1 in April 2018. Please note, however,
@@ -355,6 +355,8 @@ hero poly'd into creature with hug attack could hug a long worm's tail which
 smudging of an engraving has been relocated to after a succesful move
 	and both your former location and your resulting location are
 	subject to the smudging
+monster with multiple items in inventory could trigger 'dealloc_obj with nobj'
+	panic when turned into a statue if separate mon->minvent items merged
 
 
 Fixes to Post-3.6.1 Problems that Were Exposed Via git Repository
diff --git a/src/mon.c b/src/mon.c
index 570b95244..7ea70a576 100644
--- a/src/mon.c
+++ b/src/mon.c
@@ -1,4 +1,4 @@
-/* NetHack 3.6	mon.c	$NHDT-Date: 1548208236 2019/01/23 01:50:36 $  $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.277 $ */
+/* NetHack 3.6	mon.c	$NHDT-Date: 1548937318 2019/01/31 12:21:58 $  $NHDT-Branch: NetHack-3.6.2-beta01 $:$NHDT-Revision: 1.278 $ */
 /* Copyright (c) Stichting Mathematisch Centrum, Amsterdam, 1985. */
 /*-Copyright (c) Derek S. Ray, 2015. */
 /* NetHack may be freely redistributed.  See license for details. */
@@ -2213,6 +2213,7 @@ struct monst *mdef;
             otmp = oname(otmp, MNAME(mdef));
         while ((obj = oldminvent) != 0) {
             oldminvent = obj->nobj;
+            obj->nobj = 0; /* avoid merged-> obfree-> dealloc_obj-> panic */
             (void) add_to_container(otmp, obj);
         }
         /* Archeologists should not break unique statues */