Merge branch 'mobj-after-free' into 'master'

Fix use-after-frees around mobjs See merge request KartKrew/Kart-Public!309
2022-09-03 02:58:47 +00:00 · 2022-09-03 02:58:47 +00:00 · b2eff44dc4
parent e59521f14f f009b3d8c9
commit b2eff44dc4
6 changed files with 17 additions and 15 deletions
--- a/src/k_kart.c
+++ b/src/k_kart.c
@ -4286,7 +4286,7 @@ static void K_MoveHeldObjects(player_t *player)

 					}

-					if (cur->tracer)
+					if (cur->tracer && !P_MobjWasRemoved(cur->tracer))
 					{
 						fixed_t diffx, diffy, diffz;

--- a/src/p_enemy.c
+++ b/src/p_enemy.c
@ -2149,7 +2149,7 @@ void A_Boss1Laser(mobj_t *actor)
 	if (z - floorz < mobjinfo[MT_EGGMOBILE_FIRE].height>>1)
 	{
 		point = P_SpawnMobj(x, y, floorz+1, MT_EGGMOBILE_FIRE);
-		point->target = actor;
+		P_SetTarget(&point->target, actor);
 		point->destscale = 3*FRACUNIT;
 		point->scalespeed = FRACUNIT>>2;
 		point->fuse = TICRATE;
@ -2533,7 +2533,7 @@ void A_1upThinker(mobj_t *actor)
 		actor->frame = 0;
 		if (actor->tracer) {
 			P_RemoveMobj(actor->tracer);
-			actor->tracer = NULL;
+			P_SetTarget(&actor->target, NULL);
 		}
 		return;
 	}
@ -6547,7 +6547,7 @@ void A_Boss2PogoTarget(mobj_t *actor)
 	if (actor->info->missilestate) // spawn the pogo stick collision box
 	{
 		mobj_t *pogo = P_SpawnMobj(actor->x, actor->y, actor->z - mobjinfo[actor->info->missilestate].height, (mobjtype_t)actor->info->missilestate);
-		pogo->target = actor;
+		P_SetTarget(&pogo->target, actor);
 	}

 	actor->reactiontime = 1;
--- a/src/p_mobj.c
+++ b/src/p_mobj.c
@ -4231,7 +4231,7 @@ static void P_Boss3Thinker(mobj_t *mobj)
 			dummy = P_SpawnMobj(mobj->x, mobj->y, mobj->z, mobj->info->mass);
 			dummy->angle = mobj->angle;
 			dummy->threshold = way + 1;
-			dummy->tracer = mobj;
+			P_SetTarget(&dummy->tracer, mobj);

 			do
 				way2 = (way + P_RandomRange(1,3)) % 5; // dummy 2 has to be careful,
@ -4239,7 +4239,7 @@ static void P_Boss3Thinker(mobj_t *mobj)
 			dummy = P_SpawnMobj(mobj->x, mobj->y, mobj->z, mobj->info->mass);
 			dummy->angle = mobj->angle;
 			dummy->threshold = way2 + 1;
-			dummy->tracer = mobj;
+			P_SetTarget(&dummy->tracer, mobj);

 			CONS_Debug(DBG_GAMELOGIC, "Eggman path %d - Dummy selected paths %d and %d\n", mobj->threshold, way + 1, dummy->threshold);
 			P_LinedefExecute(LE_PINCHPHASE, mobj, NULL);
@ -4550,8 +4550,8 @@ static void P_Boss4Thinker(mobj_t *mobj)
 				P_SetTarget(&seg->target, mobj);
 				for (i = 0; i < 9; i++)
 				{
-					seg->hnext = P_SpawnMobj(mobj->x, mobj->y, z, MT_EGGMOBILE4_MACE);
-					seg->hnext->hprev = seg;
+					P_SetTarget(&seg->hnext, P_SpawnMobj(mobj->x, mobj->y, z, MT_EGGMOBILE4_MACE));
+					P_SetTarget(&seg->hnext->hprev, seg);
 					seg = seg->hnext;
 				}
 			}
@ -5111,10 +5111,10 @@ static void P_Boss9Thinker(mobj_t *mobj)
 			if (mo2->type == MT_BOSS9GATHERPOINT)
 			{
 				if (last)
-					last->hnext = mo2;
+					P_SetTarget(&last->hnext, mo2);
 				else
-					mobj->hnext = mo2;
-				mo2->hprev = last;
+					P_SetTarget(&mobj->hnext, mo2);
+				P_SetTarget(&mo2->hprev, last);
 				last = mo2;
 			}
 		}
@ -9800,7 +9800,7 @@ mobj_t *P_SpawnMobj(fixed_t x, fixed_t y, fixed_t z, mobjtype_t type)
 				mobj_t *side = P_SpawnMobj(mobj->x + FINECOSINE((ang>>ANGLETOFINESHIFT) & FINEMASK),
 					mobj->y + FINESINE((ang>>ANGLETOFINESHIFT) & FINEMASK), mobj->z, MT_PINETREE_SIDE);
 				side->angle = ang;
-				side->target = mobj;
+				P_SetTarget(&side->target, mobj);
 				side->threshold = i;
 			}
 			break;
@ -10312,6 +10312,7 @@ void P_RemoveSavegameMobj(mobj_t *mobj)

 	// free block
 	P_RemoveThinker((thinker_t *)mobj);
+	R_RemoveMobjInterpolator(mobj);
 }

 static CV_PossibleValue_t respawnitemtime_cons_t[] = {{1, "MIN"}, {300, "MAX"}, {0, NULL}};
--- a/src/p_saveg.c
+++ b/src/p_saveg.c
@ -3009,14 +3009,14 @@ static void P_RelinkPointers(void)
 			{
 				temp = (UINT32)(size_t)mobj->hnext;
 				mobj->hnext = NULL;
-				if (!(mobj->hnext = P_FindNewPosition(temp)))
+				if (!P_SetTarget(&mobj->hnext, P_FindNewPosition(temp)))
 					CONS_Debug(DBG_GAMELOGIC, "hnext not found on %d\n", mobj->type);
 			}
 			if (mobj->hprev)
 			{
 				temp = (UINT32)(size_t)mobj->hprev;
 				mobj->hprev = NULL;
-				if (!(mobj->hprev = P_FindNewPosition(temp)))
+				if (!P_SetTarget(&mobj->hprev, P_FindNewPosition(temp)))
 					CONS_Debug(DBG_GAMELOGIC, "hprev not found on %d\n", mobj->type);
 			}
 			if (mobj->player && mobj->player->capsule)
--- a/src/p_tick.c
+++ b/src/p_tick.c
@ -231,6 +231,7 @@ void P_RemoveThinkerDelayed(void *pthinker)
 			 * thinker->prev->next = thinker->next */
 			(next->prev = currentthinker = thinker->prev)->next = next;
 		}
+		R_DestroyLevelInterpolators(thinker);
 		Z_Free(thinker);
 	}
 }
--- a/src/r_fps.c
+++ b/src/r_fps.c
@ -684,7 +684,7 @@ void R_RemoveMobjInterpolator(mobj_t *mobj)

 	if (interpolated_mobjs_len == 0) return;

-	for (i = 0; i < interpolated_mobjs_len - 1; i++)
+	for (i = 0; i < interpolated_mobjs_len; i++)
 	{
 		if (interpolated_mobjs[i] == mobj)
 		{