empire/empserver
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix uninitialized variable use in defending land unit retreat

Browse source 
lnd_take_casualty() uses uninitialized rsect to compute the mobility
cost of retreating a defending land unit.  This can charge incorrect
mobility, prevent retreat, or, if the stars align just right, crash
the server when sector_mcost() subscripts dchr[] with it.

Broken in commit 4e7c993a, v4.3.6.  Reported by Scott C. Zielinski.
This commit is contained in:
Markus Armbruster 2012-03-05 12:57:33 +01:00
parent 9b92ac633d
commit 68dc9b2936
1 changed files with 1 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/lib/subs/lndsub.c
View file

@ -169,7 +169,6 @@ lnd_take_casualty(int combat_mode, struct ulist *llp, int cas)
char buf[1024]; char buf[1024];
int taken; int taken;
int nowhere_to_go = 0; int nowhere_to_go = 0;
struct sctstr rsect;
double mobcost, bmcost; double mobcost, bmcost;
signed char orig; signed char orig;
int mob; int mob;
@ -237,7 +236,7 @@ lnd_take_casualty(int combat_mode, struct ulist *llp, int cas)
continue; continue;
if (sect.sct_type == SCT_MOUNT) if (sect.sct_type == SCT_MOUNT)
continue; continue;
mobcost = lnd_mobcost(&llp->unit.land, &rsect); mobcost = lnd_mobcost(&llp->unit.land, &sect);
if (mobcost < 0) if (mobcost < 0)
continue; continue;
++nowned; ++nowned;
@ -256,7 +255,6 @@ lnd_take_casualty(int combat_mode, struct ulist *llp, int cas)
llp->unit.land.lnd_x = bx; llp->unit.land.lnd_x = bx;
llp->unit.land.lnd_y = by; llp->unit.land.lnd_y = by;
/* FIXME landmines */ /* FIXME landmines */
getsect(bx, by, &rsect);
mob = llp->unit.land.lnd_mobil - (int)bmcost; mob = llp->unit.land.lnd_mobil - (int)bmcost;
if (mob < -127) if (mob < -127)
mob = -127; mob = -127;