fix github issue #731 - accessing freed memory \

after charging causes a ring to explode Reported by gebulmer: if charging exploded a ring, the ring's memory got freed but the stale pointer was passed to cap_spe() which accessed it again. Fix by setting the object pointer to Null after using up the ring. This was a post-3.6 bug. Fixes #731
2022-04-13 13:34:14 -07:00
parent 670b7edf1d
commit 9c2a5cbcb8
2 changed files with 2 additions and 1 deletions
--- a/doc/fixes3-7-0.txt
+++ b/doc/fixes3-7-0.txt
@@ -1146,6 +1146,7 @@ add '#tip' for containers to context-sensitive invent handling
 sequencing confusion: picking an item when viewing inventory and picking an
 	action to do with it caused the inventory command to use time, then
 	on next turn the action was performed without taking any time
+program would access freed memory if charging caused a ring to explode

 curses: 'msg_window' option wasn't functional for curses unless the binary
 	also included tty support
--- a/src/read.c
+++ b/src/read.c
@@ -786,7 +786,7 @@ recharge(struct obj* obj, int curse_bless)
            if (is_on)
                Ring_gone(obj);
            s = rnd(3 * abs(obj->spe)); /* amount of damage */
-            useup(obj);
+            useup(obj), obj = 0;
            losehp(Maybe_Half_Phys(s), "exploding ring", KILLED_BY_AN);
        } else {
            long mask = is_on ? (obj == uleft ? LEFT_RING : RIGHT_RING) : 0L;