From b264e17cf25ff2784f0e0ecdb7757c9b28fe2752 Mon Sep 17 00:00:00 2001 From: PatR Date: Sat, 11 Apr 2026 01:02:42 -0700 Subject: [PATCH] fix use-after-free bug in curses shutdown A year ago a use-free-bug was reported for curses. I don't use ASAN so haven't reproduced it, but I think this should fix it. If the RIP window is deleted after the map window has gone away, the code from commit 5e572d3d5f2581d14c29bd0071c6be0d7fbdce5e (post 3.6.7) would execute and access the internals of the deleted map window. --- win/curses/curswins.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/win/curses/curswins.c b/win/curses/curswins.c index 9fe04edd4..52e21db37 100644 --- a/win/curses/curswins.c +++ b/win/curses/curswins.c @@ -224,6 +224,10 @@ curses_destroy_win(WINDOW *win) delwin(win); if (win == activemenu) activemenu = NULL; + /* during shutdown, RIP window could still be active after mapwin goes + away; so, avoid 'if (mapwin)' above when deleting RIP window later */ + if (win == mapwin) + win = mapwin = NULL; curses_refresh_nethack_windows(); nhUse(dummyht); }