Skip to content

Commit

Permalink
Fix heap use after free accessing C4ObjectMenu::ClearObjectPtr
Browse files Browse the repository at this point in the history
  • Loading branch information
@maxmitti
maxmitti committed Nov 18, 2023
1 parent 5a2f8ee commit 4b4efc3
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
13 changes: 12 additions & 1 deletion src/C4ObjectMenu.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@ C4ObjectMenu::~C4ObjectMenu()
{
*ClearObjectPtr = nullptr;
}

if (IsDeleted)
{
*IsDeleted = true;
}
}

void C4ObjectMenu::Default()
Expand Down Expand Up @@ -511,6 +516,8 @@ bool C4ObjectMenu::MenuCommand(const char *szCommand, bool fIsCloseCommand)
{
ClearObjectPtr = &l_Object;
}
bool isDeleted{false};
IsDeleted = &isDeleted;

switch (eCallbackType)
{
Expand All @@ -531,7 +538,11 @@ bool C4ObjectMenu::MenuCommand(const char *szCommand, bool fIsCloseCommand)

if ((!l_Permanent || fIsCloseCommand) && l_Object) l_Object->AutoContextMenu(l_LastSelection);

ClearObjectPtr = nullptr;
if (!isDeleted)
{
ClearObjectPtr = nullptr;
IsDeleted = nullptr;
}

return true;
}
Expand Down
1 change: 1 addition & 0 deletions src/C4ObjectMenu.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ class C4ObjectMenu : public C4Menu
CallbackType eCallbackType;
bool UserMenu; // set for script created menus; user menus do CloseQuery and MenuSelection callbacks
bool CloseQuerying; // recursion check for close query callback
bool *IsDeleted{nullptr};

void LocalInit(C4Object *pObject, bool fUserMenu);

Expand Down

0 comments on commit 4b4efc3

Please sign in to comment.