widelands

Merge lp:~widelands-dev/widelands/bug-1798024-heap-use-after-free into lp:widelands

  1. bug-1798024-heap-use-after-free
  2. Merge into trunk
Proposed by GunChleoc
Status: Merged
Merged at revision: 8898
Proposed branch: lp:~widelands-dev/widelands/bug-1798024-heap-use-after-free
Merge into: lp:widelands
Diff against target: 15 lines (+5/-1)
1 file modified
src/economy/fleet.cc (+5/-1)
To merge this branch: bzr merge lp:~widelands-dev/widelands/bug-1798024-heap-use-after-free
Reviewer Review Type Date Requested Status
Notabilis diff, test Approve
Review via email: mp+356825@code.launchpad.net

Commit message

Fix heap-use-after-free in fleet while processing EditorGameBase::cleanup_objects() when ship has already been deleted

Description of the change

Savegame for testing: https://bugs.launchpad.net/widelands/+bug/1796364/comments/3

To post a comment you must log in.
Revision history for this message
bunnybot (widelandsofficial) wrote :

Continuous integration builds have changed state:

Travis build 4146. State: passed. Details: https://travis-ci.org/widelands/widelands/builds/442210639.
Appveyor build 3943. State: success. Details: https://ci.appveyor.com/project/widelands-dev/widelands/build/_widelands_dev_widelands_bug_1798024_heap_use_after_free-3943.

Revision history for this message
Notabilis (notabilis27) wrote :

Fix is looking good and I loaded the provided savegame a few times without it crashing.

review: Approve (diff, test)
Revision history for this message
GunChleoc (gunchleoc) wrote :

Thanks for the review!

@bunnybot merge

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/economy/fleet.cc'
2--- src/economy/fleet.cc 2018-09-05 06:42:21 +0000
3+++ src/economy/fleet.cc 2018-10-16 13:56:45 +0000
4@@ -258,7 +258,11 @@
5 portpaths_.clear();
6
7 while (!ships_.empty()) {
8- ships_.back()->set_fleet(nullptr);
9+ Ship* ship = ships_.back();
10+ // Check if the ship still exists to avoid heap-use-after-free when ship has already been deleted while processing EditorGameBase::cleanup_objects()
11+ if (egbase.objects().object_still_available(ship)) {
12+ ship->set_fleet(nullptr);
13+ }
14 ships_.pop_back();
15 }
16

Subscribers

People subscribed via source and target branches

to status/vote changes: