Fix seqno mismatch and use-after-free in shp_sweep()

The code wrote the swept sector after calling shp_check_one_mines().
This failed to use up the mine that hit the minesweeper, and triggered
a seqno mismatch oops.

The code wrote the minesweeper after calling shp_check_one_mines().
This used freed memory when the minesweeper got sunk there.

Broken in 4.0.17.  Fix by moving both calls before
shp_check_one_mines().
(cherry picked from commit b0644e822cd10d93c1168f7b356068fabc02b2bf)

diff --git a/src/lib/subs/shpsub.c b/src/lib/subs/shpsub.c
index f5b90fd9b99bd482f4ebc80d1a36f23bcc6a64a8..9a97c2c58c714145bad5e8232279d349fa9b00a6 100644 (file)
--- a/src/lib/subs/shpsub.c
+++ b/src/lib/subs/shpsub.c
@@ -237,13 +237,13 @@ shp_sweep(struct emp_qelem *ship_list, int verbose, int takemob, natid actor)
        }
        sect.sct_mines = mines;
        mlp->unit.ship.shp_item[I_SHELL] = shells;
+       putship(mlp->unit.ship.shp_uid, &mlp->unit.ship);
+       putsect(&sect);
        if (shp_check_one_mines(mlp)) {
            stopping = 1;
            emp_remque(qp);
            free(qp);
        }
-       putship(mlp->unit.ship.shp_uid, &mlp->unit.ship);
-       putsect(&sect);
     }
     if (changed)
        writemap(actor);