From b3002a36b398bc65fb25bcc8f941d68f647b12ec Mon Sep 17 00:00:00 2001 From: PatR Date: Thu, 1 Dec 2022 16:15:45 -0800 Subject: [PATCH] alternate fix issue #938 - use-after-free If you kill an engulfer and get dropped onto a level teleporter or magic portal, wait until end of turn to perform the level change. The code to finish off killing the engulfer was left with a stale pointer for the monster when level change happens immediately. The level change was being forced to be immediate so that something noticable happened before being asked for what to name a teleport scroll read while cursed or confused, but such scrolls become discovered these days. So when no prompting for what to call the scroll takes place, there's no need to change levels instantly. This issue was just fixed but this commit is simpler. The previous fix is left in place in case some other level change path is--or becomes--possible. --- src/teleport.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/teleport.c b/src/teleport.c index 1efc34f5b..04bbd4b0a 100644 --- a/src/teleport.c +++ b/src/teleport.c @@ -1110,11 +1110,18 @@ level_tele(void) Verbose(2, level_tele) ? "You materialize on a different level!" : (char *) 0); +#if 0 /* always wait until end of turn to change level, otherwise code + * that references monsters as this call stack unwinds won't be + * able to access them reliably; the do-the-change-now code here + * dates from when reading a scroll of teleportation wouldn't + * always make the scroll become discovered but that's no longer + * the case so it shouldn't be needed anymore */ /* in case player just read a scroll and is about to be asked to call it something, we can't defer until the end of the turn */ if (u.utotype && !gc.context.mon_moving) deferred_goto(); +#endif } void