Adding and removing party - client crash

[s88100]

after adding and removing party ('P' Access party menu) at some point the client freezes. added party Player1 - Player2 (1) Create a party / and alternately (2) Add a player to party (3) Delete a player from party. many times or (4) Leave your current party sometimes there is an error after calling map shift+m

free(): double free detected in tcache 2

gdb ./pwmangclient
(gdb) run
. . .
Thread 1 "pwmangclient" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: There is no such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7cdb537 in __GI_abort () at abort.c:79
#2  0x00007ffff7d34768 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7e523a5 "%s\n")
at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7d3ba5a in malloc_printerr (str=str@entry=0x7ffff7e546f0 "free(): double free detected in tcache 2")
at malloc.c:5347
#4  0x00007ffff7d3d055 in _int_free (av=0x7ffff7e88b80 <main_arena>, p=0x555555ab6790, have_lock=0) at malloc.c:4201
#5  0x00005555555ba48e in mem_free (p=0x555555ab67a0) at common/z-virt.c:56
#6  0x00005555555788d0 in Receive_minipos () at client/netclient.c:3363
#7  0x000055555557e77c in Net_packet () at client/netclient.c:6360
#8  0x000055555557eb34 in Net_input () at client/netclient.c:6534
#9  0x0000555555597202 in Net_loop (inkey_handler=
0x5555555b1112 <Term_inkey>, callback_begin=0x55555556b8a4 <map_callback_begin>, callback_end=0x0, scan_cutoff=0 '\000', inmap=true) at client/ui-input.c:1346
#10 0x000055555556b93a in view_map_aux (mode=0 '\000') at client/c-cmd.c:164
#11 0x000055555556bade in do_cmd_view_map () at client/c-cmd.c:215
#12 0x00005555555939da in textui_process_command_aux (e=...) at client/ui-game.c:309
#13 0x0000555555593a45 in textui_process_command () at client/ui-game.c:341
#14 0x00005555555940e6 in input_callback_end (inmap=false) at client/ui-init.c:317
#15 0x000055555559722a in Net_loop (inkey_handler=
0x0, callback_begin=0x0, callback_end=0x5555555940d4 <input_callback_end>, scan_cutoff=0 '\000', inmap=false)
at client/ui-input.c:1354
#16 0x0000555555594143 in Input_loop () at client/ui-init.c:341
#17 0x0000555555594fe4 in client_init (new_game=true) at client/ui-init.c:753
#18 0x00005555555ba97e in main (argc=1, argv=0x7fffffffe0f8) at client/main.c:182
(gdb) up 6
#6  0x00005555555788d0 in Receive_minipos () at client/netclient.c:3363
3363                mem_free(party_x);
(gdb) list
3358            cursor_x = x;
3359            if (idx != party_n)
3360            {
3361                party_n = idx;
3362                mem_free(party_y);
3363                mem_free(party_x);
3364                if (party_n > 0)
3365                {
3366                    party_y = mem_zalloc(party_n * sizeof(int));
3367                    party_x = mem_zalloc(party_n * sizeof(int));

video 01:10 - (4) Leave your current party video 01:22 - shift+m and client crash

https://user-images.githubusercontent.com/71586060/215675588-20afcb2c-a1da-4885-9239-55483218a4f8.mp4

[draconisPW]

Adding and removing a player doesn't do anything as the code that frees party coordinates isn't called in that case. This can only occur when a party is created or when a party is disbanded.

[draconisPW]

Clearly the mem_free should be followed by setting to NULL if the pointer has to be reused later. When creating and disbanding a party, the memory is freed and reused for something else and that something else is freed again, resulting in a crash pretty much randomly somewhere else.

[draconisPW]

Fixed.