Go Back   Angband Forums > Angband > Development

Thread Tools Display Modes
Old September 12, 2016, 23:11   #1
Join Date: May 2016
Posts: 269
t4nk is on a distinguished road
Use after free when removing curses

remove_object_curse() (effect.c:759) frees the curse and sends a message about it:
static void remove_object_curse(struct object *obj, char *name, bool message)
    struct curse *c = obj->curses;
    if (streq(c->name, name)) {
        obj->curses = c->next;
        c->next = NULL;
        free_curse(c, true);
        if (message) {
            msg("The %s curse is removed!", name);
But the argument "name" comes from this curse (effect.c:800)
        remove_object_curse(obj, curse->name, true);
And gets freed with the rest of the curse (obj-curse.c:127).
The curse ultimately comes from the curse menu in ui-curse.c
    for (curse = obj->curses; curse; curse = curse->next) {
        available[count++] = curse;

    menu_setpriv(m, count, available);
I propose to free the curse after the message is sent, and perhaps remove the argument "name" to remove_object_curse().
t4nk is offline   Reply With Quote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Removing Curses Fiquin Vanilla 1 July 10, 2016 15:54
removing characters from ladder Malak Darkhunter Oook! 9 May 4, 2012 17:14
removing creatures Malak Darkhunter Vanilla 10 November 30, 2011 08:33
Removing curses.... Thorpy Vanilla 7 November 15, 2011 18:20
Removing identify from Ironband Donald Jonker Development 7 April 17, 2009 18:51

All times are GMT +1. The time now is 02:13.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.