From 59fb3ed900dd4e90b39b75cd7ba247180f94a662 Mon Sep 17 00:00:00 2001 From: Ashnal Date: Sat, 10 Sep 2022 13:29:18 -0400 Subject: [PATCH] Attempt to fix use after free bug with precipitation mobjs on netgame load --- src/p_mobj.c | 28 +++++++++++++++++++++------- src/p_saveg.c | 8 +++++++- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/src/p_mobj.c b/src/p_mobj.c index 530dd37d..befcf04f 100644 --- a/src/p_mobj.c +++ b/src/p_mobj.c @@ -10298,20 +10298,34 @@ void P_RemovePrecipMobj(precipmobj_t *mobj) void P_RemoveSavegameMobj(mobj_t *mobj) { // unlink from sector and block lists - P_UnsetThingPosition(mobj); - - // Remove touching_sectorlist from mobj. - if (sector_list) + if (((thinker_t *)mobj)->function.acp1 == (actionf_p1)P_NullPrecipThinker) { - P_DelSeclist(sector_list); - sector_list = NULL; + P_UnsetPrecipThingPosition((precipmobj_t *)mobj); + + if (precipsector_list) + { + P_DelPrecipSeclist(precipsector_list); + precipsector_list = NULL; + } + } + else + { + // unlink from sector and block lists + P_UnsetThingPosition(mobj); + + // Remove touching_sectorlist from mobj. + if (sector_list) + { + P_DelSeclist(sector_list); + sector_list = NULL; + } } // stop any playing sound S_StopSound(mobj); // free block - P_RemoveThinker((thinker_t *)mobj); + P_RemoveThinkerDelayed((thinker_t *)mobj); // Call directly here since we are calling P_InitThinkers R_RemoveMobjInterpolator(mobj); } diff --git a/src/p_saveg.c b/src/p_saveg.c index f79b3f57..c3455498 100644 --- a/src/p_saveg.c +++ b/src/p_saveg.c @@ -2166,6 +2166,12 @@ static void LoadMobjThinker(actionf_p1 thinker) mobj->player->viewz = mobj->player->mo->z + mobj->player->viewheight; } + if (mobj->type == MT_SKYBOX) + if (mobj->spawnpoint->options & MTF_OBJECTSPECIAL) + skyboxmo[1] = mobj; + else + skyboxmo[0] = mobj; + P_AddThinker(&mobj->thinker); if (diff2 & MD2_WAYPOINTCAP) @@ -2666,7 +2672,7 @@ static void P_NetUnArchiveThinkers(void) { next = currentthinker->next; - if (currentthinker->function.acp1 == (actionf_p1)P_MobjThinker) + if (currentthinker->function.acp1 == (actionf_p1)P_MobjThinker || currentthinker->function.acp1 == (actionf_p1)P_NullPrecipThinker) P_RemoveSavegameMobj((mobj_t *)currentthinker); // item isn't saved, don't remove it else Z_Free(currentthinker);