Merge branch 'netunarchive-fixes' into 'master'

Fix use after free bug See merge request KartKrew/Kart-Public!315
2024-11-10 07:12:03 +00:00 · 2022-10-19 06:19:28 +00:00 · 2022-10-19 06:19:28 +00:00 · a69b3b0260
commit a69b3b0260
parent a12aaf40ce 78ad817cf1
3 changed files with 43 additions and 11 deletions
--- a/src/p_mobj.c
+++ b/src/p_mobj.c
@ -10298,21 +10298,41 @@ void P_RemovePrecipMobj(precipmobj_t *mobj)
 void P_RemoveSavegameMobj(mobj_t *mobj)
 {
 	// unlink from sector and block lists
-	P_UnsetThingPosition(mobj);
-
-	// Remove touching_sectorlist from mobj.
-	if (sector_list)
+	if (((thinker_t *)mobj)->function.acp1 == (actionf_p1)P_NullPrecipThinker)
 	{
-		P_DelSeclist(sector_list);
-		sector_list = NULL;
+		P_UnsetPrecipThingPosition((precipmobj_t *)mobj);
+
+		if (precipsector_list)
+		{
+			P_DelPrecipSeclist(precipsector_list);
+			precipsector_list = NULL;
+		}
+	}
+	else
+	{
+		// unlink from sector and block lists
+		P_UnsetThingPosition(mobj);
+
+		// Remove touching_sectorlist from mobj.
+		if (sector_list)
+		{
+			P_DelSeclist(sector_list);
+			sector_list = NULL;
+		}
 	}

 	// stop any playing sound
 	S_StopSound(mobj);
+	R_RemoveMobjInterpolator(mobj);

 	// free block
-	P_RemoveThinker((thinker_t *)mobj);
-	R_RemoveMobjInterpolator(mobj);
+	// Here we use the same code as R_RemoveThinkerDelayed, but without reference counting (we're removing everything so it shouldn't matter) and without touching currentthinker since we aren't in P_RunThinkers
+	{
+		thinker_t *thinker = (thinker_t *)mobj;
+		thinker_t *next = thinker->next;
+		(next->prev = thinker->prev)->next = next;
+		Z_Free(thinker);
+	}
 }

 static CV_PossibleValue_t respawnitemtime_cons_t[] = {{1, "MIN"}, {300, "MAX"}, {0, NULL}};
--- a/src/p_saveg.c
+++ b/src/p_saveg.c
@ -2166,6 +2166,14 @@ static void LoadMobjThinker(actionf_p1 thinker)
 			mobj->player->viewz = mobj->player->mo->z + mobj->player->viewheight;
 	}

+	if (mobj->type == MT_SKYBOX)
+	{
+		if (mobj->spawnpoint->options & MTF_OBJECTSPECIAL)
+			skyboxmo[1] = mobj;
+		else
+			skyboxmo[0] = mobj;
+	}
+
 	P_AddThinker(&mobj->thinker);

 	if (diff2 & MD2_WAYPOINTCAP)
@ -2666,10 +2674,14 @@ static void P_NetUnArchiveThinkers(void)
 	{
 		next = currentthinker->next;

-		if (currentthinker->function.acp1 == (actionf_p1)P_MobjThinker)
+		if (currentthinker->function.acp1 == (actionf_p1)P_MobjThinker || currentthinker->function.acp1 == (actionf_p1)P_NullPrecipThinker)
 			P_RemoveSavegameMobj((mobj_t *)currentthinker); // item isn't saved, don't remove it
 		else
+		{
+			(next->prev = currentthinker->prev)->next = next;
+			R_DestroyLevelInterpolators(currentthinker);
 			Z_Free(currentthinker);
+		}
 	}

 	// we don't want the removed mobjs to come back
--- a/src/p_setup.c
+++ b/src/p_setup.c
@ -3124,14 +3124,14 @@ boolean P_SetupLevel(boolean skipprecip)
 		if (!playerstarts[numcoopstarts])
 			break;

+	globalweather = mapheaderinfo[gamemap-1]->weather;
+
 	// set up world state
 	P_SpawnSpecials(fromnetsave);

 	if (loadprecip) //  ugly hack for P_NetUnArchiveMisc (and P_LoadNetGame)
 		P_SpawnPrecipitation();

-	globalweather = mapheaderinfo[gamemap-1]->weather;
-
 #ifdef HWRENDER // not win32 only 19990829 by Kin
 	if (rendermode != render_soft && rendermode != render_none)
 	{