[Scummvm-git-logs] scummvm master -> bad85b3c9cbd7542bcdd9e2b730bb42119df0193
bluegr
noreply at scummvm.org
Sun May 28 20:32:23 UTC 2023
This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .
Summary:
bad85b3c9c SAGA: Fix use-after-free on handling actor action
Commit: bad85b3c9cbd7542bcdd9e2b730bb42119df0193
https://github.com/scummvm/scummvm/commit/bad85b3c9cbd7542bcdd9e2b730bb42119df0193
Author: PushmePullyu (127053144+PushmePullyu at users.noreply.github.com)
Date: 2023-05-28T23:32:20+03:00
Commit Message:
SAGA: Fix use-after-free on handling actor action
On switching scenes:
Reset _actor->_lastZone in Actor::updateActorsScene().
Actors can store a pointer to a HitZone in _lastZone
(see Actor::handleActions()).
The HitZone pointed to is held by ObjectMap vm->_scene->_objectMap
in array _hitZoneList.
When changing scenes the array elements are cleared via
ObjectMap::clear() and _lastZone can become stale since
only some code paths reset it (e.g. Actor::takeExit()).
The stale pointer is then passed to Actor::stepZoneAction()
from Actor::handleActions() and dereferenced.
Fixes #13661
Changed paths:
engines/saga/actor_walk.cpp
diff --git a/engines/saga/actor_walk.cpp b/engines/saga/actor_walk.cpp
index ae812258349..ed7e0ae9581 100644
--- a/engines/saga/actor_walk.cpp
+++ b/engines/saga/actor_walk.cpp
@@ -192,6 +192,7 @@ void Actor::updateActorsScene(int actorsEntrance) {
_protagonist = nullptr;
for (ActorDataArray::iterator actor = _actors.begin(); actor != _actors.end(); ++actor) {
+ actor->_lastZone = nullptr;
actor->_inScene = false;
actor->_spriteList.clear();
if ((actor->_flags & (kProtagonist | kFollower)) || (actor->_index == 0)) {
More information about the Scummvm-git-logs
mailing list