lnd_take_casualty() uses uninitialized rsect to compute the mobility
cost of retreating a defending land unit. This can charge incorrect
mobility, prevent retreat, or, if the stars align just right, crash
the server when sector_mcost() subscripts dchr[] with it.
Broken in commit
4e7c993a, v4.3.6. Reported by Scott C. Zielinski.
char buf[1024];
int taken;
int nowhere_to_go = 0;
- struct sctstr rsect;
double mobcost, bmcost;
signed char orig;
int mob;
continue;
if (sect.sct_type == SCT_MOUNT)
continue;
- mobcost = lnd_mobcost(&llp->unit.land, &rsect);
+ mobcost = lnd_mobcost(&llp->unit.land, §);
if (mobcost < 0)
continue;
++nowned;
llp->unit.land.lnd_x = bx;
llp->unit.land.lnd_y = by;
/* FIXME landmines */
- getsect(bx, by, &rsect);
mob = llp->unit.land.lnd_mobil - (int)bmcost;
if (mob < -127)
mob = -127;