mirror of
https://git.do.srb2.org/STJr/SRB2.git
synced 2024-11-15 01:01:33 +00:00
Fix use after free bug
This commit is contained in:
Ashnal
Eidolon
parent
6709100997
commit
7800c9e5c9
2 changed files with 49 additions and 9 deletions
36
src/p_mobj.c
36
src/p_mobj.c
|
|
@ -11195,21 +11195,41 @@ void P_RemovePrecipMobj(precipmobj_t *mobj)
|
|||
void P_RemoveSavegameMobj(mobj_t *mobj)
|
||||
{
|
||||
// unlink from sector and block lists
|
||||
P_UnsetThingPosition(mobj);
|
||||
|
||||
// Remove touching_sectorlist from mobj.
|
||||
if (sector_list)
|
||||
if (((thinker_t *)mobj)->function.acp1 == (actionf_p1)P_NullPrecipThinker)
|
||||
{
|
||||
P_DelSeclist(sector_list);
|
||||
sector_list = NULL;
|
||||
P_UnsetPrecipThingPosition((precipmobj_t *)mobj);
|
||||
|
||||
if (precipsector_list)
|
||||
{
|
||||
P_DelPrecipSeclist(precipsector_list);
|
||||
precipsector_list = NULL;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
// unlink from sector and block lists
|
||||
P_UnsetThingPosition(mobj);
|
||||
|
||||
// Remove touching_sectorlist from mobj.
|
||||
if (sector_list)
|
||||
{
|
||||
P_DelSeclist(sector_list);
|
||||
sector_list = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
// stop any playing sound
|
||||
S_StopSound(mobj);
|
||||
R_RemoveMobjInterpolator(mobj);
|
||||
|
||||
// free block
|
||||
P_RemoveThinker((thinker_t *)mobj);
|
||||
R_RemoveMobjInterpolator(mobj);
|
||||
// Here we use the same code as R_RemoveThinkerDelayed, but without reference counting (we're removing everything so it shouldn't matter) and without touching currentthinker since we aren't in P_RunThinkers
|
||||
{
|
||||
thinker_t *thinker = (thinker_t *)mobj;
|
||||
thinker_t *next = thinker->next;
|
||||
(next->prev = thinker->prev)->next = next;
|
||||
Z_Free(thinker);
|
||||
}
|
||||
}
|
||||
|
||||
static CV_PossibleValue_t respawnitemtime_cons_t[] = {{1, "MIN"}, {300, "MAX"}, {0, NULL}};
|
||||
|
|
|
|||
|
|
@ -3059,6 +3059,18 @@ static thinker_t* LoadMobjThinker(actionf_p1 thinker)
|
|||
mobj->player->viewz = mobj->player->mo->z + mobj->player->viewheight;
|
||||
}
|
||||
|
||||
if (mobj->type == MT_SKYBOX && mobj->spawnpoint)
|
||||
{
|
||||
mtag_t tag = Tag_FGet(&mobj->spawnpoint->tags);
|
||||
if (tag >= 0 && tag <= 15)
|
||||
{
|
||||
if (mobj->spawnpoint->args[0])
|
||||
skyboxcenterpnts[tag] = mobj;
|
||||
else
|
||||
skyboxviewpnts[tag] = mobj;
|
||||
}
|
||||
}
|
||||
|
||||
mobj->info = (mobjinfo_t *)next; // temporarily, set when leave this function
|
||||
|
||||
R_AddMobjInterpolator(mobj);
|
||||
|
|
@ -3680,10 +3692,14 @@ static void P_NetUnArchiveThinkers(void)
|
|||
{
|
||||
next = currentthinker->next;
|
||||
|
||||
if (currentthinker->function.acp1 == (actionf_p1)P_MobjThinker)
|
||||
if (currentthinker->function.acp1 == (actionf_p1)P_MobjThinker || currentthinker->function.acp1 == (actionf_p1)P_NullPrecipThinker)
|
||||
P_RemoveSavegameMobj((mobj_t *)currentthinker); // item isn't saved, don't remove it
|
||||
else
|
||||
{
|
||||
(next->prev = currentthinker->prev)->next = next;
|
||||
R_DestroyLevelInterpolators(currentthinker);
|
||||
Z_Free(currentthinker);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -3885,6 +3901,10 @@ static void P_NetUnArchiveThinkers(void)
|
|||
CONS_Debug(DBG_NETPLAY, "%u thinkers loaded in list %d\n", numloaded, i);
|
||||
}
|
||||
|
||||
// Set each skyboxmo to the first skybox (or NULL)
|
||||
skyboxmo[0] = skyboxviewpnts[0];
|
||||
skyboxmo[1] = skyboxcenterpnts[0];
|
||||
|
||||
if (restoreNum)
|
||||
{
|
||||
executor_t *delay = NULL;
|
||||
|
|
|
|||
Loading…
Reference in a new issue