Tweet
For each parser, run_parser() is called to do the parsing. However at the end, there is:
r = fp->finish(p);
if (r) print_error(fp, p);
Problem is: in 99% of the cases, each "finish" method calls parser_destroy() on the parser, which calls mem_free() to free the memory associated with the parser. Calling then print_error() on a freed pointer will result in a crash.
I've looked at all parser_destroy() calls and found the following where the "finish" method doesn't return 0:
- obj-init.c: finish_parse_slay(), finish_parse_brand(), finish_parse_curse()
- ui-visuals.c: visuals_file_parser_finish()
r = fp->finish(p);
if (r) print_error(fp, p);
Problem is: in 99% of the cases, each "finish" method calls parser_destroy() on the parser, which calls mem_free() to free the memory associated with the parser. Calling then print_error() on a freed pointer will result in a crash.
I've looked at all parser_destroy() calls and found the following where the "finish" method doesn't return 0:
- obj-init.c: finish_parse_slay(), finish_parse_brand(), finish_parse_curse()
- ui-visuals.c: visuals_file_parser_finish()