Core/Movement: Fix invalid memory access

Fix the stack implementation used in MotionMaster and added few sanity checks to ensure no underflows will be made. Valgrind log: Invalid read of size 8 at : MotionMaster::top() const (MotionMaster.h:115) by : MotionMaster::pop() (MotionMaster.h:91) by : MotionMaster::~MotionMaster() (MotionMaster.cpp:74) by : Unit::~Unit() (Unit.cpp:296) by : Player::~Player() (Player.cpp:880) by : WorldSession::HandleCharCreateCallback(Trinity::AutoPtr<PreparedResultSet, ACE_Thread_Mutex>, CharacterCreateInfo*) (CharacterHandler.cpp:665) by : WorldSession::HandleCharCreateCallback(Trinity::AutoPtr<PreparedResultSet, ACE_Thread_Mutex>, CharacterCreateInfo*) (CharacterHandler.cpp:516)
2026-01-16 07:30:42 +01:00 · 2013-12-14 16:40:04 +01:00
parent 9d9d1fb6c6
commit e28cc4660b
2 changed files with 25 additions and 6 deletions
--- a/src/server/game/Movement/MotionMaster.cpp
+++ b/src/server/game/Movement/MotionMaster.cpp
@@ -130,6 +130,9 @@ void MotionMaster::DirectClean(bool reset)
        if (curr) DirectDelete(curr);
    }

+    if (empty())
+        return;
+
    if (needInitTop())
        InitTop();
    else if (reset)
@@ -156,7 +159,7 @@ void MotionMaster::DirectExpire(bool reset)
        DirectDelete(curr);
    }

-    while (!top())
+    while (!empty() && !top())
        --_top;

    if (empty())
@@ -176,7 +179,7 @@ void MotionMaster::DelayedExpire()
        DelayedDelete(curr);
    }

-    while (!top())
+    while (!empty() && !top())
        --_top;
 }

--- a/src/server/game/Movement/MotionMaster.h
+++ b/src/server/game/Movement/MotionMaster.h
@@ -87,13 +87,21 @@ class MotionMaster //: private std::stack<MovementGenerator *>

        void pop()
        {
+            if (empty())
+                return;
+
            Impl[_top] = NULL;
-            while (!top())
+            while (!empty() && !top())
                --_top;
        }
        void push(_Ty _Val) { ++_top; Impl[_top] = _Val; }

-        bool needInitTop() const { return _needInit[_top]; }
+        bool needInitTop() const 
+        { 
+            if (empty())
+                return false;
+            return _needInit[_top]; 
+        }
        void InitTop();
    public:

@@ -112,8 +120,16 @@ class MotionMaster //: private std::stack<MovementGenerator *>

        bool empty() const { return (_top < 0); }
        int size() const { return _top + 1; }
-        _Ty top() const { return Impl[_top]; }
-        _Ty GetMotionSlot(int slot) const { return Impl[slot]; }
+        _Ty top() const 
+        { 
+            ASSERT(!empty());
+            return Impl[_top]; 
+        }
+        _Ty GetMotionSlot(int slot) const 
+        { 
+            ASSERT(slot >= 0);
+            return Impl[slot]; 
+        }

        void DirectDelete(_Ty curr);
        void DelayedDelete(_Ty curr);