Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix: use-after-free when applying an object that got destroyed
Found this running the fuzzer with address sanitizer. After applying an object, the game checks whether it's a talking artifact so that it can speak to you afterwards. If, however, the object got destroyed in the process of applying it, this will read and dereference obj after they have been freed. I found this with a cream pie, which is always destroyed when someone applies it. To fix this, I tracked the obj pointer for what I think are the only two cases in the big switch statement that don't track this - royal jelly and cream pie. Royal jelly is only conditionally destroyed depending on further input, so its function had to be refactored to take a struct obj**, but cream pies are unconditionally destroyed so it can just be set to null. (xNetHack cherry pick conflict note: royal jelly rub handling had been moved to a slightly different place in the code.)
- Loading branch information