Fix uninitialized variable use in defending land unit retreat
authorMarkus Armbruster <armbru@pond.sub.org>
Mon, 5 Mar 2012 11:57:33 +0000 (12:57 +0100)
committerMarkus Armbruster <armbru@pond.sub.org>
Mon, 5 Mar 2012 11:57:52 +0000 (12:57 +0100)
lnd_take_casualty() uses uninitialized rsect to compute the mobility
cost of retreating a defending land unit.  This can charge incorrect
mobility, prevent retreat, or, if the stars align just right, crash
the server when sector_mcost() subscripts dchr[] with it.

Broken in commit 4e7c993a, v4.3.6.  Reported by Scott C. Zielinski.

src/lib/subs/lndsub.c

index 30630a708c0e6945647fcab12439e2ba0680a0b5..9a414b90b5417b5080b6ec8fa3b604c96d200250 100644 (file)
@@ -169,7 +169,6 @@ lnd_take_casualty(int combat_mode, struct ulist *llp, int cas)
     char buf[1024];
     int taken;
     int nowhere_to_go = 0;
-    struct sctstr rsect;
     double mobcost, bmcost;
     signed char orig;
     int mob;
@@ -237,7 +236,7 @@ lnd_take_casualty(int combat_mode, struct ulist *llp, int cas)
                    continue;
                if (sect.sct_type == SCT_MOUNT)
                    continue;
-               mobcost = lnd_mobcost(&llp->unit.land, &rsect);
+               mobcost = lnd_mobcost(&llp->unit.land, &sect);
                if (mobcost < 0)
                    continue;
                ++nowned;
@@ -256,7 +255,6 @@ lnd_take_casualty(int combat_mode, struct ulist *llp, int cas)
                llp->unit.land.lnd_x = bx;
                llp->unit.land.lnd_y = by;
                /* FIXME landmines */
-               getsect(bx, by, &rsect);
                mob = llp->unit.land.lnd_mobil - (int)bmcost;
                if (mob < -127)
                    mob = -127;