[warzone2100-dev] [Warzone 2100 Trac] #1656: dereference of a pointer to freed memory durring level load in event.c

Tue, 02 Mar 2010 19:09:08 -0800 

#1656: dereference of a pointer to freed memory durring level load in event.c
--------------------------------------+-------------------------------------
        Reporter:  Ai_Tak             |        Type:  bug                   
          Status:  new                |    Priority:  critical              
       Milestone:  2.3                |   Component:  Engine: Scripting / AI
         Version:  2.3 beta 11a       |    Keywords:                        
Operating_system:  Microsoft Windows  |   Blockedby:                        
        Blocking:                     |  
--------------------------------------+-------------------------------------
 This happens around on line 1046 of event.c in function
 eventFireCallbackTrigger after you start loading a new game after the 11th
 time interpRunScript is called from line 1046 (3rd time after
 startGameLoop). psCurr (reletive to eventFireCallbackTrigger) has already
 been unlinked from the list (on line 1041), in a call to
 eventRemoveTriggerFromList (called from interpRunScript) psCurr->psNext
 (as seen from eventFireCallbackTrigger) is freed (line 1255) and unlinked
 from the list, but since psCurr is ALREADY unlinked from the list,
 psCurr->psNext->psNext is linked to psPrev (psPrev->psNext is updated)
 rather than psCurr->psNext being updated. psCurr->psNext and psNext now
 both point to freed memory and could potentially lead to an access
 violation on line 989. This happens more often debug builds and almost
 always with standard page heap verification enabled. In release builds it
 may also result in a crash, although since the freed memory may still be
 accessible, it would more often result in the (freed) event at
 psCurr->psNext (maybe?) being fired a second time in this one instance.

 I've attached a diff that corrects this problem, but it is more of a
 workaround. Without this patch I can only start a (skirmish) game running
 under the debugger (msvc) about 1 out of 20 times. With it I can't get it
 to crash under any load conditions.

-- 
Ticket URL: <http://developer.wz2100.net/ticket/1656>
Warzone 2100 Trac <http://developer.wz2100.net/>
The Warzone 2100 Project
_______________________________________________
Warzone-dev mailing list
[email protected]
https://mail.gna.org/listinfo/warzone-dev

Reply via email to