From b9e7eaac268425e9fa9c20327da00a47d189fedf Mon Sep 17 00:00:00 2001 From: "alexey.lysiuk" Date: Fri, 22 Jun 2018 15:40:28 +0300 Subject: [PATCH] - fixed potential access to freed memory on map loading MapData could destruct FResourceLump objects before accessing them Loading of map .wad from .pk3 file is example of this case https://forum.zdoom.org/viewtopic.php?t=60972 (cherry picked from commit 9b4e8efcb9033be0d477d9e05fd5e84415438741) --- src/p_setup.h | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/src/p_setup.h b/src/p_setup.h index 6b961bfa7..b9c680632 100644 --- a/src/p_setup.h +++ b/src/p_setup.h @@ -36,6 +36,25 @@ struct MapData { private: + struct ResourceHolder + { + FResourceFile *data = nullptr; + + ~ResourceHolder() + { + delete data; + } + + ResourceHolder &operator=(FResourceFile *other) { data = other; return *this; } + FResourceFile *operator->() { return data; } + operator FResourceFile *() const { return data; } + }; + + // The order of members here is important + // Resource should be destructed after MapLumps as readers may share FResourceLump objects + // For example, this is the case when map .wad is loaded from .pk3 file + ResourceHolder resource; + struct MapLump { char Name[8] = { 0 }; @@ -48,13 +67,6 @@ public: bool isText = false; bool InWad = false; int lumpnum = -1; - FResourceFile * resource = nullptr; - - ~MapData() - { - if (resource != nullptr) delete resource; - resource = nullptr; - } /* void Seek(unsigned int lumpindex)