Skip to content
  • fluzz's avatar
    85156e28
    A crash can occur when dropping an equipped on the floor. · 85156e28
    fluzz authored 
    When the user clicks on an equipped item, that item is 'temporarily'
placed on the floor, and so placed in a free slot of the item->item_list
dynarray.

The item is also 'hold in hand', via a pointer to the item_list's slot.
This pointer is called 'item_held_in_hand'.

When the hold-in-hand item is eventually dropped on the floor, a
new free storage slot is created in the level->item_list, the
temporary slot's content is moved into that new slot, and the
temporary slot, pointed to by item_held_in_hand, is cleared.

But, when the new free slot is created, the itemr_list dynarray may need
to be expanded, through a call to realloc(). The item_held_in_hand
pointer is then possibly no more pointing into the reallocated
dynarray, or even at a wrong place.

The 'temporary' item is now in an other memory location, and clearing
item_held_in_hand does no more clear the 'temporary' item.

This leads to a duplication of the dropped item, with the same content.

This patch ensures that the 'temporary' item is cleared before the
possible expansion of the dynarray.

Fixes #1002
    85156e28
    A crash can occur when dropping an equipped on the floor.
    fluzz authored 
    When the user clicks on an equipped item, that item is 'temporarily'
placed on the floor, and so placed in a free slot of the item->item_list
dynarray.

The item is also 'hold in hand', via a pointer to the item_list's slot.
This pointer is called 'item_held_in_hand'.

When the hold-in-hand item is eventually dropped on the floor, a
new free storage slot is created in the level->item_list, the
temporary slot's content is moved into that new slot, and the
temporary slot, pointed to by item_held_in_hand, is cleared.

But, when the new free slot is created, the itemr_list dynarray may need
to be expanded, through a call to realloc(). The item_held_in_hand
pointer is then possibly no more pointing into the reallocated
dynarray, or even at a wrong place.

The 'temporary' item is now in an other memory location, and clearing
item_held_in_hand does no more clear the 'temporary' item.

This leads to a duplication of the dropped item, with the same content.

This patch ensures that the 'temporary' item is cleared before the
possible expansion of the dynarray.

Fixes #1002