attempting double-free, named moldy corpse

[elunna]

==330255==ERROR: AddressSanitizer: attempting double-free on 0x603000333ee0 in thread T0:
    #0 0x7fdd4ca9a537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x562273905f39 in dealloc_oextra /home/user/Documents/hackem/src/mkobj.c:93
    #2 0x562273918755 in dealloc_obj /home/user/Documents/hackem/src/mkobj.c:2642
    #3 0x562273c8ba4a in obfree /home/user/Documents/hackem/src/shk.c:1175
    #4 0x562273456560 in rot_organic /home/user/Documents/hackem/src/dig.c:2136
    #5 0x5622734569e5 in rot_corpse /home/user/Documents/hackem/src/dig.c:2180
    #6 0x562273d94e7e in run_timers /home/user/Documents/hackem/src/timeout.c:2524
    #7 0x5622734a04fa in goto_level /home/user/Documents/hackem/src/do.c:2045
    #8 0x5622734a28d1 in deferred_goto /home/user/Documents/hackem/src/do.c:2284
    #9 0x5622732e0780 in moveloop /home/user/Documents/hackem/src/allmain.c:862
    #10 0x562273ff7b77 in main ../sys/unix/unixmain.c:353
    #11 0x7fdd4c401d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7fdd4c401e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #13 0x5622732d7ac4 in _start (/home/user/games/hackemdir/hackem+0x238ac4)
Dlvl:2 0:33
0x603000333ee0 is located 0 bytes inside of 20-byte region [0x603000333ee0,0x603000333ef4)
freed by thread T0 here:
    #0 0x7fdd4ca9a537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x5622734b5916 in free_oname /home/user/Documents/hackem/src/do_name.c:1050
    #2 0x5622734ab740 in moldy_corpse /home/user/Documents/hackem/src/do.c:2556
    #3 0x562273d94e7e in run_timers /home/user/Documents/hackem/src/timeout.c:2524
    #4 0x5622734a04fa in goto_level /home/user/Documents/hackem/src/do.c:2045
    #5 0x5622734a28d1 in deferred_goto /home/user/Documents/hackem/src/do.c:2284
    #6 0x5622732e0780 in moveloop /home/user/Documents/hackem/src/allmain.c:862
    #7 0x562273ff7b77 in main ../sys/unix/unixmain.c:353
    #8 0x7fdd4c401d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7fdd4ca9a887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5622732e4703 in alloc /home/user/Documents/hackem/src/alloc.c:46
    #2 0x5622734b57cf in new_oname /home/user/Documents/hackem/src/do_name.c:1036
    #3 0x562273c61b9d in restobj /home/user/Documents/hackem/src/restore.c:228
    #4 0x562273c62163 in restobjchn /home/user/Documents/hackem/src/restore.c:278
    #5 0x562273c66f14 in getlev /home/user/Documents/hackem/src/restore.c:1147
    #6 0x56227349ed20 in goto_level /home/user/Documents/hackem/src/do.c:1941
    #7 0x5622734a28d1 in deferred_goto /home/user/Documents/hackem/src/do.c:2284
    #8 0x5622732e0780 in moveloop /home/user/Documents/hackem/src/allmain.c:862
    #9 0x562273ff7b77 in main ../sys/unix/unixmain.c:353
    #10 0x7fdd4c401d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
==330255==ABORTING

[elunna]

I think this is caused by a moldy corpse buried in a box, but it's difficult to tell. Moldy corpses already have a restriction on growing when buried...

[elunna]

This has popped up a couple times now - and I do believe it might be related to magic chests. More investigation is warranted.

[janne-hmp]

This is because in moldy_corpse you assign ONAME(body) = old_oname; but old_oname is just a pointer to the buffer from the heap that was freed earlier:

    /* Also, don't let the mold become named. */
    if (has_oname(body)) {
       /* ONAME(body) = NULL;*/
        free_oname(body);
    }

This leads to a double free later when you try to free ONAME. You should not assign freed pointers to ONAME, but rather always use new_oname to allocate a new buffer again from the heap. In any case, perhaps there is a much easier way of not naming the corpse than manipulating the oextra structure.