From f5b65dacd63ac8767720f317ed227291a286e306 Mon Sep 17 00:00:00 2001
From: Holger Schemel <info@artsoft.org>
Date: Fri, 19 Feb 2021 00:24:23 +0100
Subject: [PATCH] fixed crash bug caused by freeing string buffer twice

When loading a snapshot, a string pointer in the tape structure was
also restored from the snapshot, overwriting a potentially already
changed string pointer, therefore causing the next free() to crash.
---
 src/files.c | 11 ++++++++---
 src/tape.c  | 11 +++++------
 src/tape.h  |  2 +-
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/files.c b/src/files.c
index 39c0321a..5cca0e30 100644
--- a/src/files.c
+++ b/src/files.c
@@ -7765,16 +7765,21 @@ static int LoadTape_SCRN(File *file, int chunk_size, struct TapeInfo *tape)
 
 static int LoadTape_INFO(File *file, int chunk_size, struct TapeInfo *tape)
 {
+  char *level_identifier = NULL;
   int level_identifier_size;
   int i;
 
   level_identifier_size = getFile16BitBE(file);
 
-  tape->level_identifier =
-    checked_realloc(tape->level_identifier, level_identifier_size);
+  level_identifier = checked_malloc(level_identifier_size);
 
   for (i = 0; i < level_identifier_size; i++)
-    tape->level_identifier[i] = getFile8Bit(file);
+    level_identifier[i] = getFile8Bit(file);
+
+  strncpy(tape->level_identifier, level_identifier, MAX_FILENAME_LEN);
+  tape->level_identifier[MAX_FILENAME_LEN] = '\0';
+
+  checked_free(level_identifier);
 
   tape->level_nr = getFile16BitBE(file);
 
diff --git a/src/tape.c b/src/tape.c
index 2300f00b..c1e4bcea 100644
--- a/src/tape.c
+++ b/src/tape.c
@@ -541,7 +541,11 @@ void TapeErase(void)
   tape.length_seconds = 0;
 
   if (leveldir_current)
-    setString(&tape.level_identifier, leveldir_current->identifier);
+  {
+    strncpy(tape.level_identifier, leveldir_current->identifier,
+	    MAX_FILENAME_LEN);
+    tape.level_identifier[MAX_FILENAME_LEN] = '\0';
+  }
 
   tape.level_nr = level_nr;
   tape.pos[tape.counter].delay = 0;
@@ -1160,12 +1164,7 @@ static boolean checkTapesFromSameLevel(struct TapeInfo *t1, struct TapeInfo *t2)
 
 static void CopyTape(struct TapeInfo *tape_from, struct TapeInfo *tape_to)
 {
-  if (tape_to->level_identifier != NULL)
-    checked_free(tape_to->level_identifier);
-
   *tape_to = *tape_from;
-
-  tape_to->level_identifier = getStringCopy(tape_from->level_identifier);
 }
 
 static void SwapTapes(struct TapeInfo *t1, struct TapeInfo *t2)
diff --git a/src/tape.h b/src/tape.h
index 332de217..a829448a 100644
--- a/src/tape.h
+++ b/src/tape.h
@@ -178,7 +178,7 @@ struct TapeInfo
   int game_version;	// game release version the tape was created with
   int engine_version;	// game engine version the tape was recorded with
 
-  char *level_identifier;
+  char level_identifier[MAX_FILENAME_LEN + 1];
   int level_nr;
   unsigned int random_seed;
   unsigned int date;
-- 
2.34.1