[Vengeance] Fix pick_up_fragment use-after-free crash#11184
Open
taherbert wants to merge 1 commit intosimulationcraft:midnightfrom
Open
[Vengeance] Fix pick_up_fragment use-after-free crash#11184taherbert wants to merge 1 commit intosimulationcraft:midnightfrom
taherbert wants to merge 1 commit intosimulationcraft:midnightfrom
Conversation
taherbert
changed the title
taherbert
force-pushed
the
fix/dh-pick-up-fragment-uaf
branch
from
50ff7d3 to
9cd2643
Compare
pick_up_event_t stored a raw pointer to the selected soul_fragment_t. If another ability consumed and deleted that fragment during the movement delay, the event would dereference freed memory. Only surfaces on Vengeance because fragments spawn at ~10.6 yards (vs Havoc's ~4.6), giving a non-zero movement time where spenders can consume the fragment before the event fires. Fix: store the fragment type instead of a raw pointer and re-select an active fragment when the event fires. Also remove the vestigial consume_soul_greater null guard which was always true.
taherbert
force-pushed
the
fix/dh-pick-up-fragment-uaf
branch
from
9cd2643 to
c112ca6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
pick_up_event_tstored a raw pointer to the fragment selected when the action fired. For Vengeance, fragments spawn ~10.6 yards away with a 4-yard pickup radius, so there's a real movement delay before the event resolves. If a spender like Spirit Bomb or Soul Cleave consumes that fragment during the delay, the pointer goes stale and the event dereferences freed memory.Havoc doesn't hit this because fragments spawn at ~4.6 yards with an 8-yard pickup radius, so movement time is zero and the event fires instantly.
The fix stores the fragment type instead of a raw pointer. When the event fires, it re-selects an active fragment of that type. If the original fragment was consumed, it picks up another one; if none are left, it's a no-op.