Go Back   Angband Forums > Angband > Development

Thread Tools Display Modes
Old September 13, 2016, 00:11   #1
Join Date: May 2016
Posts: 330
t4nk is on a distinguished road
Use after free when removing curses

remove_object_curse() (effect.c:759) frees the curse and sends a message about it:
static void remove_object_curse(struct object *obj, char *name, bool message)
    struct curse *c = obj->curses;
    if (streq(c->name, name)) {
        obj->curses = c->next;
        c->next = NULL;
        free_curse(c, true);
        if (message) {
            msg("The %s curse is removed!", name);
But the argument "name" comes from this curse (effect.c:800)
        remove_object_curse(obj, curse->name, true);
And gets freed with the rest of the curse (obj-curse.c:127).
The curse ultimately comes from the curse menu in ui-curse.c
    for (curse = obj->curses; curse; curse = curse->next) {
        available[count++] = curse;

    menu_setpriv(m, count, available);
I propose to free the curse after the message is sent, and perhaps remove the argument "name" to remove_object_curse().
t4nk is offline   Reply With Quote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Removing Curses Fiquin Vanilla 1 July 10, 2016 16:54
removing characters from ladder Malak Darkhunter Oook! 9 May 4, 2012 18:14
removing creatures Malak Darkhunter Vanilla 10 November 30, 2011 09:33
Removing curses.... Thorpy Vanilla 7 November 15, 2011 19:20
Removing identify from Ironband Donald Jonker Development 7 April 17, 2009 19:51

All times are GMT +1. The time now is 13:05.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.