search

elunna / NerfHack

The official rewrite of Hack'EM rebased on NetHack 3.7
3 stars 0 forks source link

muse scroll of water - SIGSEGV #51

Closed elunna closed 2 months ago

elunna commented 2 months ago 
Very obscure bug found fuzzing.

(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x0000555555ee6725 in right_side (row=2, left=11, right_mark=14, limits=0x5555561eeebc <circle_data+28>) at vision.c:1813
#2  0x0000555555ee691c in right_side (row=3, left=11, right_mark=15, limits=0x5555561eeeba <circle_data+26>) at vision.c:1823
#3  0x0000555555ee691c in right_side (row=4, left=11, right_mark=15, limits=0x5555561eeeb8 <circle_data+24>) at vision.c:1823
#4  0x0000555555ee85da in view_from (srow=5, scol=11, loc_cs_rows=0x0, left_most=0x0, right_most=0x0, range=4, 
    func=0x555555d04cd2 <flood_space>, arg=0x7fffffffd750) at vision.c:2063
#5  0x0000555555ee86cd in do_clear_area (scol=11, srow=5, range=4, func=0x555555d04cd2 <flood_space>, arg=0x7fffffffd750)
    at vision.c:2091
#6  0x0000555555d0f226 in seffect_water (sobjp=0x7fffffffd860, mtmp=0x611000344e40) at read.c:2318
#7  0x0000555555bb11f6 in use_defensive (mtmp=0x611000344e40) at muse.c:1076
#8  0x0000555555b8fbd2 in m_move (mtmp=0x611000344e40, after=0) at monmove.c:2011
#9  0x0000555555b83872 in dochug (mtmp=0x611000344e40) at monmove.c:951
#10 0x0000555555b7be9b in dochugw (mtmp=0x611000344e40, chug=1 '\001') at monmove.c:229
#11 0x0000555555b410da in movemon_singlemon (mtmp=0x611000344e40) at mon.c:1664
#12 0x0000555555b60550 in iter_mons_safe (bfunc=0x555555b401e2 <movemon_singlemon>) at mon.c:5086
#13 0x0000555555b41136 in movemon () at mon.c:1674
#14 0x00005555557b9cfc in moveloop_core () at allmain.c:196
#15 0x00005555557bca33 in moveloop (resuming=0 '\000') at allmain.c:588
#16 0x0000555555f7bfd8 in main (argc=4, argv=0x7fffffffdf38) at ../sys/unix/unixmain.c:323

(gdb) p **sobjp
$5 = {nobj = 0x0, v = {v_nexthere = 0x0, v_ocontainer = 0x0, v_ocarry = 0x0}, cobj = 0x0, o_id = 368508, ox = 11, oy = 5, otyp = 360, 
  owt = 1, quan = 1, spe = 0 '\000', oclass = 9 '\t', invlet = 0 '\000', oartifact = 0 '\000', where = 9 '\t', timed = 0, cursed = 0, 
  blessed = 0, unpaid = 0, no_charge = 0, known = 1, dknown = 1, bknown = 0, rknown = 1, oeroded = 0, oeroded2 = 0, oerodeproof = 0, 
  olocked = 0, obroken = 0, otrapped = 0, recharged = 0, lamplit = 0, globby = 0, greased = 0, nomerge = 0, how_lost = 0, in_use = 0, 
  bypass = 0, cknown = 0, lknown = 0, pickup_prev = 0, ghostly = 0, corpsenm = -1, usecount = 0, oeaten = 0, age = 328141, 
  owornmask = 0, lua_ref_cnt = 0, omigr_from_dnum = 0, omigr_from_dlevel = 0, oextra = 0x0}

(gdb) p *mtmp
$6 = {nmon = 0x611000342140, data = 0x5555564cd4a0 <mons+7840>, m_id = 368547, mnum = 70, cham = -1, movement = 12, m_lev = 4 '\004', 
  malign = 7 '\a', mx = 11, my = 5, mux = 11, muy = 1, mtrack = {{x = 12, y = 4}, {x = 12, y = 3}, {x = 13, y = 4}, {x = 14, y = 4}}, 
  mhp = 19, mhpmax = 19, mappearance = 0, m_ap_type = 0 '\000', mtame = 0 '\000', mintrinsics = 0, mextrinsics = 0, seen_resistance = 0, 
  mspec_used = 0, female = 1, minvis = 0, invis_blkd = 0, perminvis = 0, mcan = 0, mburied = 0, mundetected = 0, mcansee = 1, 
  mspeed = 0, permspeed = 0, mrevived = 0, mcloned = 0, mavenge = 0, mflee = 0, mfleetim = 0, msleeping = 0, mblinded = 0, mstun = 0, 
  mfrozen = 0, mcanmove = 1, mconf = 0, mdiseased = 0, mdiseabyu = 0, mpeaceful = 0, mtrapped = 0, mleashed = 0, isshk = 0, 
  isminion = 0, isgd = 0, ispriest = 0, iswiz = 0, wormno = 0, mtemplit = 0, meverseen = 1, mwither_from_u = 0, mberserk = 0, 
  mrabid = 0, mspotted = 1, mwither = 0 '\000', mstrategy = 0, mtrapseen = 6291456, mlstmv = 0, mstate = 0, migflags = 0, mspare1 = 0, 
  minvent = 0x60b00052ec30, mw = 0x0, misc_worn_check = 0, weapon_check = 0, former_rank = '\000' <repeats 24 times>, meating = 0, 
  msummoned = 0, mdiseasetime = 0, mreflecttime = 0, mphasetime = 0, mprotection = 0 '\000', mprottime = 0 '\000', mextra = 0x0}
(gdb) 

mtmp is at mx = 11, my = 5,

(gdb) l
1808                if (right > lim_max)
1809                    right = lim_max;
1810                /* set the bits */
1811                if (vis_func) {
1812                    for (i = left; i <= right; i++)
1813                        (*vis_func)(i, row, varg);
1814                } else {
1815                    for (i = left; i <= right; i++)
1816                        set_cs(rowp, i);
1817                    set_min(left);
(gdb) p i
$7 = 13
(gdb) p row
$8 = 2
(gdb) p varg
$9 = (genericptr_t) 0x0
(gdb) p right
$10 = 14
(gdb)
elunna commented 2 months ago

Fixed in 642ffc004