From fbefc139f4fe6b9ba6068d6493a900f7b7d77b22 Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Sat, 28 Jun 2008 09:15:49 -0400 Subject: [PATCH] Fix seqno mismatch and use-after-free in shp_sweep() The code wrote the swept sector after calling shp_check_one_mines(). This failed to use up the mine that hit the minesweeper, and triggered a seqno mismatch oops. The code wrote the minesweeper after calling shp_check_one_mines(). This used freed memory when the minesweeper got sunk there. Broken in 4.0.17. Fix by moving both calls before shp_check_one_mines(). (cherry picked from commit b0644e822cd10d93c1168f7b356068fabc02b2bf) --- src/lib/subs/shpsub.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib/subs/shpsub.c b/src/lib/subs/shpsub.c index f5b90fd9..9a97c2c5 100644 --- a/src/lib/subs/shpsub.c +++ b/src/lib/subs/shpsub.c @@ -237,13 +237,13 @@ shp_sweep(struct emp_qelem *ship_list, int verbose, int takemob, natid actor) } sect.sct_mines = mines; mlp->unit.ship.shp_item[I_SHELL] = shells; + putship(mlp->unit.ship.shp_uid, &mlp->unit.ship); + putsect(§); if (shp_check_one_mines(mlp)) { stopping = 1; emp_remque(qp); free(qp); } - putship(mlp->unit.ship.shp_uid, &mlp->unit.ship); - putsect(§); } if (changed) writemap(actor);