Found with fuzzer: heap-use-after-free when wielded and hit crystal ball breaks

[elunna]

This is backtrace from the fuzzer: Occurred on move 25609. Role: Ranger Race: Human

#0  __sanitizer::internal__exit (exitcode=1) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_linux.cpp:448
#1  0x00007f7768cf72b7 in __sanitizer::Die () at ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cpp:59
#2  0x00007f7768cd675c in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0x7ffff0c78e36, __in_chrg=<optimized out>)
    at ../../../../src/libsanitizer/asan/asan_report.cpp:190
#3  0x00007f7768cd5ff5 in __asan::ReportGenericError (pc=93900865714040, bp=bp@entry=140737233001136, sp=sp@entry=140737233001120, 
    addr=106377756364170, is_write=is_write@entry=true, access_size=5, exp=0, fatal=true) at ../../../../src/libsanitizer/asan/asan_report.cpp:478
#4  0x00007f7768cd771b in __asan::__asan_report_store_n (addr=<optimized out>, size=<optimized out>)
    at ../../../../src/libsanitizer/asan/asan_rtl.cpp:147
#5  0x00005566ffbeb778 in hmon_hitmon (mon=0x6110001aabc0, obj=0x60c000614d40, thrown=0, dieroll=4) at uhitm.c:2044
#6  0x00005566ffbcb113 in hmon (mon=0x6110001aabc0, obj=0x60c000614d40, thrown=0, dieroll=4) at uhitm.c:968
#7  0x00005566ffbc73a6 in known_hitum (mon=0x6110001aabc0, weapon=0x60c000614d40, mhit=0x7ffff0c7a170, rollneeded=15, armorpenalty=0, 
    uattk=0x5566fff4eeb8 <mons+48792>, dieroll=4) at uhitm.c:646
#8  0x00005566ffbc9565 in hitum (mon=0x6110001aabc0, uattk=0x5566fff4eeb8 <mons+48792>) at uhitm.c:826
#9  0x00005566ffbc3e83 in attack (mtmp=0x6110001aabc0) at uhitm.c:591
#10 0x00005566ff4be2d2 in domove_core () at hack.c:1810
#11 0x00005566ff4a9359 in domove () at hack.c:1517
#12 0x00005566ff28bedc in rhack (cmd=0x5567000c7900 <in_line> "k") at cmd.c:5506
#13 0x00005566ff1a4aac in moveloop (resuming=0 '\000') at allmain.c:804
#14 0x00005566ffd2333c in main (argc=0, argv=0x7ffff0c7ad98) at ../sys/unix/unixmain.c:353

This is the ASAN dump from my successful reproduction, I just wished for a crystal ball, wielded it, and attacked something and it broke.

=================================================================
==313483==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000002b4a at pc 0x55555618973f bp 0x7fffffffd1b0 sp 0x7fffffffd1a0
WRITE of size 5 at 0x60c000002b4a thread T0
    #0 0x55555618973e in hmon_hitmon /home/erik/Documents/EvilHack/src/uhitm.c:2044
    #1 0x5555561690d9 in hmon /home/erik/Documents/EvilHack/src/uhitm.c:968
    #2 0x55555616536c in known_hitum /home/erik/Documents/EvilHack/src/uhitm.c:646
    #3 0x55555616752b in hitum /home/erik/Documents/EvilHack/src/uhitm.c:826
    #4 0x555556161e49 in attack /home/erik/Documents/EvilHack/src/uhitm.c:591
    #5 0x555555a5c298 in domove_core /home/erik/Documents/EvilHack/src/hack.c:1810
    #6 0x555555a4731f in domove /home/erik/Documents/EvilHack/src/hack.c:1517
    #7 0x555555829ea2 in rhack /home/erik/Documents/EvilHack/src/cmd.c:5506
    #8 0x555555742aab in moveloop /home/erik/Documents/EvilHack/src/allmain.c:804
    #9 0x5555562c1302 in main ../sys/unix/unixmain.c:353
    #10 0x7ffff7365d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7ffff7365e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #12 0x55555573aac4 in _start (/home/erik/games/evilhackdir/evilhack+0x1e6ac4)

0x60c000002b4a is located 74 bytes inside of 128-byte region [0x60c000002b00,0x60c000002b80)
freed by thread T0 here:
    #0 0x7ffff7672517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x555555cc532e in dealloc_obj /home/erik/Documents/EvilHack/src/mkobj.c:2507
    #2 0x555555fe0f80 in obfree /home/erik/Documents/EvilHack/src/shk.c:1023
    #3 0x555555a8a15a in delobj_core /home/erik/Documents/EvilHack/src/invent.c:1259
    #4 0x555555a89dce in delobj /home/erik/Documents/EvilHack/src/invent.c:1223
    #5 0x5555559975d6 in breakobj /home/erik/Documents/EvilHack/src/dothrow.c:2444
    #6 0x555555998da5 in break_glass_obj /home/erik/Documents/EvilHack/src/dothrow.c:2636
    #7 0x55555618960d in hmon_hitmon /home/erik/Documents/EvilHack/src/uhitm.c:2042
    #8 0x5555561690d9 in hmon /home/erik/Documents/EvilHack/src/uhitm.c:968
    #9 0x55555616536c in known_hitum /home/erik/Documents/EvilHack/src/uhitm.c:646
    #10 0x55555616752b in hitum /home/erik/Documents/EvilHack/src/uhitm.c:826
    #11 0x555556161e49 in attack /home/erik/Documents/EvilHack/src/uhitm.c:591
    #12 0x555555a5c298 in domove_core /home/erik/Documents/EvilHack/src/hack.c:1810
    #13 0x555555a4731f in domove /home/erik/Documents/EvilHack/src/hack.c:1517
    #14 0x555555829ea2 in rhack /home/erik/Documents/EvilHack/src/cmd.c:5506
    #15 0x555555742aab in moveloop /home/erik/Documents/EvilHack/src/allmain.c:804
    #16 0x5555562c1302 in main ../sys/unix/unixmain.c:353
    #17 0x7ffff7365d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7ffff7672867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x555555746457 in alloc /home/erik/Documents/EvilHack/src/alloc.c:46
    #2 0x555555cb8c35 in mksobj /home/erik/Documents/EvilHack/src/mkobj.c:866
    #3 0x555555e6cb72 in readobjnam /home/erik/Documents/EvilHack/src/objnam.c:4667
    #4 0x5555562bd5a1 in makewish /home/erik/Documents/EvilHack/src/zap.c:6464
    #5 0x5555557f982e in wiz_wish /home/erik/Documents/EvilHack/src/cmd.c:811
    #6 0x55555582a3ae in rhack /home/erik/Documents/EvilHack/src/cmd.c:5544
    #7 0x555555742aab in moveloop /home/erik/Documents/EvilHack/src/allmain.c:804
    #8 0x5555562c1302 in main ../sys/unix/unixmain.c:353
    #9 0x7ffff7365d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /home/erik/Documents/EvilHack/src/uhitm.c:2044 in hmon_hitmon
Shadow bytes around the buggy address:
  0x0c187fff8510: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff8520: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff8540: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff8550: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
=>0x0c187fff8560: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c187fff8570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff85a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff85b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==313483==ABORTING

[elunna]

Another fuzz ran into same problem with ADAMANTINE dark elven dagger.

[k21971]

Fixed via commit 1a3cb0b