widelands-dev team mailing list archive

[GunChleoc <fios@xxxxxxxxxxxxxxxxxxx>]

GunChleoc has proposed merging lp:~widelands-dev/widelands/bug-1798024-heap-use-after-free into lp:widelands.

Commit message:
Fix heap-use-after-free in fleet while processing EditorGameBase::cleanup_objects() when ship has already been deleted

Requested reviews:
  Widelands Developers (widelands-dev)
Related bugs:
  Bug #1798024 in widelands: "heap-use-after-free in in Widelands::Ship::set_fleet while loading savegame"
  https://bugs.launchpad.net/widelands/+bug/1798024

For more details, see:
https://code.launchpad.net/~widelands-dev/widelands/bug-1798024-heap-use-after-free/+merge/356825

Savegame for testing: https://bugs.launchpad.net/widelands/+bug/1796364/comments/3
-- 
Your team Widelands Developers is requested to review the proposed merge of lp:~widelands-dev/widelands/bug-1798024-heap-use-after-free into lp:widelands.

=== modified file 'src/economy/fleet.cc'
--- src/economy/fleet.cc	2018-09-05 06:42:21 +0000
+++ src/economy/fleet.cc	2018-10-16 13:49:13 +0000
@@ -258,7 +258,11 @@
 	portpaths_.clear();
 
 	while (!ships_.empty()) {
-		ships_.back()->set_fleet(nullptr);
+		Ship* ship = ships_.back();
+		// Check if the ship still exists to avoid heap-use-after-free when ship has already been deleted while processing EditorGameBase::cleanup_objects()
+		if (egbase.objects().object_still_available(ship)) {
+			ship->set_fleet(nullptr);
+		}
 		ships_.pop_back();
 	}