From: Mark A. Heilpern (heilpern@MINDSPRING.COM)
Date: 01/04/98

I've found a somewhat serious bug that is still present in bpl12. I suspect
this bug is responsible for the previously mysterious "when I create a new
mob I crash" bug.

This bug is potentially causing a buffer underflow when writing to the
array in assign_the_shopkeepers().

The function performs:     mob_index[SHOP_KEEPER(index)].func = shop_keeper;
to assign the shop_keeper specproc. However, there is no sanity check to make
sure SHOP_KEEPER(index) is a valid index and, in fact, in using OasisOLC to
make shops, it is possible for this macro to return -1, having us write
the mob_index pointer.  Now, a common malloc() technique, to allow free()
to work,
is to store the size of the buffer just below the "beginning" of the
buffer. I don't know
if gnu's malloc() does this or not, but certainly when the mob_index buffer
is underflowed,
trying to free(mob_index) causes problems.

The fix is simple - just conditionalize on SHOP_KEEPER(index)>=0 and, if that
condition is false, log a SYSERR.

In eQuoria, I also made "show errors" display keeperless shops, to more easily
keep tabs on this.

Mark A. Heilpern --- Sammy @ eQuoria MUD

     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | |

This archive was generated by hypermail 2b30 : 12/15/00 PST