cpp/openttd-patchpack/source Changeset - r25491:a3015bde6b9b

Changeset - r25491:a3015bde6b9b

Parent rev.

Child rev.

[Not reviewed]

master

0 1 0

Rubidium - 3 years ago 2021-05-16 05:33:32
rubidium@openttd.org

Fix #9267, 47a99bb: [Squirrel] Heap use after free

Due to 47a99bb the order of elements in the garbage collection chain has
changed causing the class to be finalised before the instances of that class.
Since the instance's array of member values depends on the size of the values
in the class, the class finalisation resetting that size to 0 causes not all
finalisations to run, which subsequently causes a heap use after free. So,
just set the SQObjectPtrs to 'null' during the finalisation of the SQClass
so the SQInstance can release all instance variables during its finalisation.

1 file changed with 7 insertions and 1 deletions:

src/3rdparty/squirrel/squirrel/sqclass.cpp

0 comments (0 inline, 0 general)

src/3rdparty/squirrel/squirrel/sqclass.cpp

➞

Show inline comments

@@ @@ -34,7 +34,13 @@ SQClass::SQClass(SQSharedState *ss,SQCla @@
 void SQClass::Finalize() {
 	_attributes = _null_;
 	_defaultvalues.resize(0);
 	/* SQInstance's Finalize depends on the size of this sqvector, so instead of
 	 * resizing, all SQObjectPtrs are set to "null" so it holds no references to
 	 * other objects anymore. That way everything gets released properly. */
 	for (SQUnsignedInteger i = 0; i < _defaultvalues.size(); i++) {
 		_defaultvalues[i].val = _null_;
 		_defaultvalues[i].attrs = _null_;
+	}
 	_methods.resize(0);
 	_metamethods.resize(0);
 	__ObjRelease(_members);

0 comments (0 inline, 0 general)