Bug: Player polymorphed into manticore causes crash when using #monster #251

elunna · 2022-11-12T10:55:16Z

Describe the bug
Found this while fuzzing Hack'EM - but traced it back to SpliceHack.

Starting program: /home/lunatunez/spl/install/games/lib/splicehackdir/splicehack -D -u wizard 2>err.log
[Detaching after fork from child process 6303]

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7c45859 in __GI_abort () at abort.c:79
#2  0x000055555563fc3d in NH_abort () at end.c:206
#3  0x000055555564201b in panic (str=str@entry=0x55555585e693 "flooreffects: obj not free")
    at end.c:692
#4  0x0000555555600e84 in flooreffects (obj=<optimized out>, x=<optimized out>, 
    y=<optimized out>, verb=verb@entry=0x5555558a0162 "fall") at do.c:138
#5  0x000055555562aa22 in throwit (obj=<optimized out>, obj@entry=0x5555559ded20, 
    wep_mask=wep_mask@entry=0, twoweap=twoweap@entry=0 '\000', oldslot=oldslot@entry=0x0)
    at dothrow.c:1608
#6  0x000055555571ef5d in dovolley () at polyself.c:1283
#7  0x00005555555db317 in domonability () at cmd.c:775
#8  0x00005555555daf12 in doextcmd () at cmd.c:394
#9  0x00005555555e3638 in rhack (cmd=<optimized out>, cmd@entry=0x0) at cmd.c:3661
#10 0x00005555555b4114 in moveloop_core () at allmain.c:544
#11 0x00005555555b438c in moveloop (resuming=<optimized out>) at allmain.c:567
#12 0x00005555557ee9df in main (argc=<optimized out>, argv=0x7fffffffe5f8)
    at ../sys/unix/unixmain.c:335
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 0, 0, 0, 0, 0, 0, 17300034920647375360, 93824993197148, 335544320, 
            140737350361232, 1073741824, 13, 93824993195267, 93824993195149, 93824993197126}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007ffff7c45859 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0xd, sa_sigaction = 0xd}, sa_mask = {__val = {
              93824993195267, 93824993195149, 93824993197126, 93824993206299, 93824992939652, 
              93824993110562, 93824994111325, 93824992785175, 93824992784146, 93824992818744, 
              93824992624916, 93824992625548, 93824994961887, 140737350234243, 
              17300034917509365760, 140737350361232}}, sa_flags = -821413376, sa_restorer = 0x2}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x000055555563fc3d in NH_abort () at end.c:206
        gdb_prio = <optimized out>
        libc_prio = <optimized out>
        aborting = 1 '\001'
#3  0x000055555564201b in panic (str=str@entry=0x55555585e693 "flooreffects: obj not free")
    at end.c:692
        the_args = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7fffffffe2d0, 
            reg_save_area = 0x7fffffffe200}}
#4  0x0000555555600e84 in flooreffects (obj=<optimized out>, x=<optimized out>, 
    y=<optimized out>, verb=verb@entry=0x5555558a0162 "fall") at do.c:138
        t = <optimized out>
        mtmp = <optimized out>
        otmp = 0x64
        save_bhitpos = <optimized out>
        tseen = <optimized out>
        ttyp = 0
        res = 0
#5  0x000055555562aa22 in throwit (obj=<optimized out>, obj@entry=0x5555559ded20, 
    wep_mask=wep_mask@entry=0, twoweap=twoweap@entry=0 '\000', oldslot=oldslot@entry=0x0)
    at dothrow.c:1608
        mon = 0x0
        range = <optimized out>
        urange = <optimized out>
        crossbowing = <optimized out>
        gunning = <optimized out>
        clear_thrownobj = 0 '\000'
        impaired = <optimized out>
        tethered_weapon = <optimized out>
#6  0x000055555571ef5d in dovolley () at polyself.c:1283
        otmp = 0x5555559ded20
        mattk = <optimized out>
        i = 1
        numattacks = 7
#7  0x00005555555db317 in domonability () at cmd.c:775
No locals.
#8  0x00005555555daf12 in doextcmd () at cmd.c:394
        idx = <optimized out>
        retval = <optimized out>
        func = 0x5555555db18c <domonability>
#9  0x00005555555e3638 in rhack (cmd=<optimized out>, cmd@entry=0x0) at cmd.c:3661
        tlist = 0x555555909d60 <extcmdlist>
        res = <optimized out>
        func = 0x5555555daea7 <doextcmd>
        spkey = <optimized out>
        prefix_seen = <optimized out>
        bad_command = <optimized out>
        firsttime = 1 '\001'
        cmdq = <optimized out>
        cmdq_ec = <optimized out>
#10 0x00005555555b4114 in moveloop_core () at allmain.c:544
        monscanmove = <optimized out>
        pobj = <optimized out>
#11 0x00005555555b438c in moveloop (resuming=<optimized out>) at allmain.c:567
No locals.
#12 0x00005555557ee9df in main (argc=<optimized out>, argv=0x7fffffffe5f8)
    at ../sys/unix/unixmain.c:335
        dir = <optimized out>
        nhfp = <optimized out>
        exact_username = 0 '\000'
        resuming = <optimized out>
        plsel_once = <optimized out>

To Reproduce
Steps to reproduce the behavior:

Any role/race in wizmode
Polymorph into a manticore
#monster and select a direction

The text was updated successfully, but these errors were encountered:

elunna · 2022-11-12T21:28:14Z

I created a fix in this commit in hackem: elunna/hackem@524d9d5

the followup commit addresses memory leaks with manticores shooting spikes:
elunna/hackem@9118eee

elunna added the bug Something isn't working label Nov 12, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug: Player polymorphed into manticore causes crash when using #monster #251

Bug: Player polymorphed into manticore causes crash when using #monster #251

elunna commented Nov 12, 2022

elunna commented Nov 12, 2022

Bug: Player polymorphed into manticore causes crash when using #monster #251

Bug: Player polymorphed into manticore causes crash when using #monster #251

Comments

elunna commented Nov 12, 2022

elunna commented Nov 12, 2022