Fix use after free bug

This commit is contained in:
Ashnal 2022-11-12 17:20:03 -06:00 committed by Eidolon
parent 6709100997
commit 7800c9e5c9
2 changed files with 49 additions and 9 deletions

View file

@ -11194,6 +11194,19 @@ void P_RemovePrecipMobj(precipmobj_t *mobj)
// Clearing out stuff for savegames // Clearing out stuff for savegames
void P_RemoveSavegameMobj(mobj_t *mobj) void P_RemoveSavegameMobj(mobj_t *mobj)
{ {
// unlink from sector and block lists
if (((thinker_t *)mobj)->function.acp1 == (actionf_p1)P_NullPrecipThinker)
{
P_UnsetPrecipThingPosition((precipmobj_t *)mobj);
if (precipsector_list)
{
P_DelPrecipSeclist(precipsector_list);
precipsector_list = NULL;
}
}
else
{
// unlink from sector and block lists // unlink from sector and block lists
P_UnsetThingPosition(mobj); P_UnsetThingPosition(mobj);
@ -11203,13 +11216,20 @@ void P_RemoveSavegameMobj(mobj_t *mobj)
P_DelSeclist(sector_list); P_DelSeclist(sector_list);
sector_list = NULL; sector_list = NULL;
} }
}
// stop any playing sound // stop any playing sound
S_StopSound(mobj); S_StopSound(mobj);
R_RemoveMobjInterpolator(mobj);
// free block // free block
P_RemoveThinker((thinker_t *)mobj); // Here we use the same code as R_RemoveThinkerDelayed, but without reference counting (we're removing everything so it shouldn't matter) and without touching currentthinker since we aren't in P_RunThinkers
R_RemoveMobjInterpolator(mobj); {
thinker_t *thinker = (thinker_t *)mobj;
thinker_t *next = thinker->next;
(next->prev = thinker->prev)->next = next;
Z_Free(thinker);
}
} }
static CV_PossibleValue_t respawnitemtime_cons_t[] = {{1, "MIN"}, {300, "MAX"}, {0, NULL}}; static CV_PossibleValue_t respawnitemtime_cons_t[] = {{1, "MIN"}, {300, "MAX"}, {0, NULL}};

View file

@ -3059,6 +3059,18 @@ static thinker_t* LoadMobjThinker(actionf_p1 thinker)
mobj->player->viewz = mobj->player->mo->z + mobj->player->viewheight; mobj->player->viewz = mobj->player->mo->z + mobj->player->viewheight;
} }
if (mobj->type == MT_SKYBOX && mobj->spawnpoint)
{
mtag_t tag = Tag_FGet(&mobj->spawnpoint->tags);
if (tag >= 0 && tag <= 15)
{
if (mobj->spawnpoint->args[0])
skyboxcenterpnts[tag] = mobj;
else
skyboxviewpnts[tag] = mobj;
}
}
mobj->info = (mobjinfo_t *)next; // temporarily, set when leave this function mobj->info = (mobjinfo_t *)next; // temporarily, set when leave this function
R_AddMobjInterpolator(mobj); R_AddMobjInterpolator(mobj);
@ -3680,12 +3692,16 @@ static void P_NetUnArchiveThinkers(void)
{ {
next = currentthinker->next; next = currentthinker->next;
if (currentthinker->function.acp1 == (actionf_p1)P_MobjThinker) if (currentthinker->function.acp1 == (actionf_p1)P_MobjThinker || currentthinker->function.acp1 == (actionf_p1)P_NullPrecipThinker)
P_RemoveSavegameMobj((mobj_t *)currentthinker); // item isn't saved, don't remove it P_RemoveSavegameMobj((mobj_t *)currentthinker); // item isn't saved, don't remove it
else else
{
(next->prev = currentthinker->prev)->next = next;
R_DestroyLevelInterpolators(currentthinker);
Z_Free(currentthinker); Z_Free(currentthinker);
} }
} }
}
// we don't want the removed mobjs to come back // we don't want the removed mobjs to come back
iquetail = iquehead = 0; iquetail = iquehead = 0;
@ -3885,6 +3901,10 @@ static void P_NetUnArchiveThinkers(void)
CONS_Debug(DBG_NETPLAY, "%u thinkers loaded in list %d\n", numloaded, i); CONS_Debug(DBG_NETPLAY, "%u thinkers loaded in list %d\n", numloaded, i);
} }
// Set each skyboxmo to the first skybox (or NULL)
skyboxmo[0] = skyboxviewpnts[0];
skyboxmo[1] = skyboxcenterpnts[0];
if (restoreNum) if (restoreNum)
{ {
executor_t *delay = NULL; executor_t *delay = NULL;