Fixes an issue where mobjs with shadows would never get freed,

due to their reference count getting reset after
having their shadows spawned, resulting in a reference count of -1
and the mobj never being freed, or a use-after-free during the shadow's thinker.
Also adds some P_SetTargets to P_BlockThingsIterator to fix an inconsistency I noticed while investigating this.
This commit is contained in:
Ashnal 2022-10-03 02:07:36 -04:00
parent b2eff44dc4
commit bd4150b90e
2 changed files with 7 additions and 3 deletions

View file

@ -1034,7 +1034,10 @@ boolean P_BlockThingsIterator(INT32 x, INT32 y, boolean (*func)(mobj_t *))
{
P_SetTarget(&bnext, mobj->bnext); // We want to note our reference to bnext here incase it is MF_NOTHINK and gets removed!
if (!func(mobj))
{
P_SetTarget(&bnext, NULL);
return false;
}
if (P_MobjWasRemoved(tmthing) // func just popped our tmthing, cannot continue.
|| (bnext && P_MobjWasRemoved(bnext))) // func just broke blockmap chain, cannot continue.
{
@ -1042,6 +1045,7 @@ boolean P_BlockThingsIterator(INT32 x, INT32 y, boolean (*func)(mobj_t *))
return true;
}
}
P_SetTarget(&bnext, NULL);
return true;
}

View file

@ -9893,6 +9893,9 @@ mobj_t *P_SpawnMobj(fixed_t x, fixed_t y, fixed_t z, mobjtype_t type)
break;
}
if (!(mobj->flags & MF_NOTHINK))
P_AddThinker(&mobj->thinker); // Needs to come before the shadow spawn, or else the shadow's reference gets forgotten
switch (mobj->type)
{
case MT_PLAYER:
@ -9916,9 +9919,6 @@ mobj_t *P_SpawnMobj(fixed_t x, fixed_t y, fixed_t z, mobjtype_t type)
break;
}
if (!(mobj->flags & MF_NOTHINK))
P_AddThinker(&mobj->thinker);
// Call action functions when the state is set
if (st->action.acp1 && (mobj->flags & MF_RUNSPAWNFUNC))
{