Avoid bad access deref in swapchest 'A'

If a player elected to remove multiple items from the swapchest, whether by "A" or by selecting more than one in the menu, and the _second_ one in the list would have put her over the weight limit (i.e. would prompt "Continue?"), selecting 'n' rather than 'y' or 'q' to that prompt could crash the game as it tried to continue down the chain of swap items after they had been freed. Add some further tests to avoid this: do the "swap chest is dormant" check first, before testing the weight and prompting, and return -1 to stop attempting to continue down the cobj linked list when an item is removed from the swapchest.
tnnt-devteam · Nov 26, 2024 · 535e5bf · 535e5bf
1 parent 31c5191
commit 535e5bf
Showing 1 changed file with 11 additions and 8 deletions.
diff --git a/src/pickup.c b/src/pickup.c
@@ -2669,6 +2669,16 @@ register struct obj *obj;
         obj->owt = weight(obj);
     }
 
+    if (current_container->otyp == SWAP_CHEST
+        && current_container->swapitems < SWAP_ITEMS_MIN) {
+        /* should not get to here if we haven't contributed to the chest */
+        You_feel(current_container->swapitems == SWAP_CHEST_USED_UP
+                    ? "%s is no longer interested in dealing with you."
+                    : "%s wants something from you first.",
+                    the(xname(current_container)));
+        return -1;
+    }
+
     if (obj->oartifact && !touch_artifact(obj, &youmonst))
         return 0;
 
@@ -2685,14 +2695,6 @@ register struct obj *obj;
 
     /* TNNT swap chest --> */
     if (current_container->otyp == SWAP_CHEST) {
-        if (current_container->swapitems < SWAP_ITEMS_MIN) {
-            /* should not get to here if we haven't contributed to the chest */
-            You_feel(current_container->swapitems == SWAP_CHEST_USED_UP
-                       ? "%s is no longer interested in dealing with you."
-                       : "%s wants something from you first.",
-                     the(xname(current_container)));
-            return -1;
-        }
         if (!delete_swapobj_file(obj)) {
             /* fails if file already doesn't exist */
             pline("You reach for %s, but %s!",
@@ -2778,6 +2780,7 @@ register struct obj *obj;
                        prefix, itemname);
         if (save_oname && !obj->oartifact)
             ONAME(obj) = save_oname;
+        return -1; /* don't try to remove any more items */
     }
     /* <-- */