Mind Vision has Aura Effect SPELL_AURA_BIND_SIGHT which adds the target to a special Map container i_objectsToSwitch, used to switch grid containers for target Creatures of this Aura Effect.
When the target is a Creature, when the Creature is removed from world it's added to i_objectsToSwitch and then to i_objectsToRemove, iterated in this order in Map::RemoveAllObjectsInRemoveList() so the reference in i_objectsToSwitch is valid.
When the target is a Player, when the Player logs out it's added to i_objectsToSwitch but then Map::RemovePlayerFromMap() deletes the Player, leaving an invalid reference in i_objectsToSwitch.
Since the whole point of i_objectsToSwitch is to store Creatures and since the stored references are used only if the condition "GetTypeId() == TYPEID_UNIT" is verified, it's safe to add only objects of TYPEID_UNIT type to the container.
Valgrind log:
Invalid read of size 4
at 0xC52332: Object::GetTypeId() const (Object.h:140)
by 0xF540D3: Map::RemoveAllObjectsInRemoveList() (Map.cpp:2136)
by 0xF53CD2: Map::DelayedUpdate(unsigned int) (Map.cpp:2087)
by 0xF639B1: MapManager::Update(unsigned int) (MapManager.cpp:292)
by 0x107CB40: World::Update(unsigned int) (World.cpp:2025)
by 0xBEB263: WorldRunnable::run() (WorldRunnable.cpp:60)
by 0x1213792: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:186)
by 0x515EA35: ACE_OS_Thread_Adapter::invoke() (in /usr/lib/libACE-6.0.3.so)
by 0x5F19F8D: start_thread (pthread_create.c:311)
by 0x6A46E1C: clone (clone.S:113)
Address 0x401eacac is 12 bytes inside a block of size 11,736 free'd
at 0x4C2B59C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0xD80239: Player::~Player() (Player.cpp:915)
by 0xF4D5A2: void Map::DeleteFromWorld<Player>(Player*) (Map.cpp:319)
by 0xF4EBBB: Map::RemovePlayerFromMap(Player*, bool) (Map.cpp:687)
by 0xFCC18D: WorldSession::LogoutPlayer(bool) (WorldSession.cpp:531)
by 0xF1EDD5: WorldSession::HandleLogoutRequestOpcode(WorldPacket&) (MiscHandler.cpp:403)
by 0xFCAE37: WorldSession::Update(unsigned int, PacketFilter&) (WorldSession.cpp:312)
by 0x107EBC6: World::UpdateSessions(unsigned int) (World.cpp:2615)
by 0x107C94B: World::Update(unsigned int) (World.cpp:1978)
by 0xBEB263: WorldRunnable::run() (WorldRunnable.cpp:60)
by 0x1213792: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:186)
by 0x515EA35: ACE_OS_Thread_Adapter::invoke() (in /usr/lib/libACE-6.0.3.so)
Fix GuildMember flags left uninitialized when creating a new guild.
Valgrind log:
Conditional jump or move depends on uninitialised value(s)
at 0xEE49CE: Guild::Member::WritePacket(WorldPacket&) const (Guild.cpp:714)
by 0xEE721E: Guild::HandleRoster(WorldSession*) (Guild.cpp:1314)
by 0xEE9EBA: Guild::SendLoginInfo(WorldSession*) (Guild.cpp:1920)
by 0xEEB689: Guild::AddMember(unsigned long, unsigned char) (Guild.cpp:2230)
by 0xEE6A09: Guild::Create(Player*, std::string const&) (Guild.cpp:1199)
by 0x12A71F9: guild_commandscript::HandleGuildCreateCommand(ChatHandler*, char const*) (cs_guild.cpp:92)
by 0xC47DBE: ChatHandler::ExecuteCommandInTable(ChatCommand*, char const*, std::string const&) (Chat.cpp:362)
by 0xC47C23: ChatHandler::ExecuteCommandInTable(ChatCommand*, char const*, std::string const&) (Chat.cpp:343)
by 0xC488C4: ChatHandler::ParseCommands(char const*) (Chat.cpp:489)
by 0x1188EE3: WorldSession::HandleMessagechatOpcode(WorldPacket&) (ChatHandler.cpp:217)
by 0xFCAE37: WorldSession::Update(unsigned int, PacketFilter&) (WorldSession.cpp:312)
by 0x107EBC6: World::UpdateSessions(unsigned int) (World.cpp:2615)
Modify how InstanceSave is deleted so the local mutex can be released before deleting the class itself.
Valgrind log:
Invalid read of size 4
at 0x662662B: __pthread_mutex_unlock_usercnt (pthread_mutex_unlock.c:52)
by 0x55D3C55: ACE_OS::mutex_unlock(pthread_mutex_t*) (OS_NS_Thread.cpp:2335)
by 0xB20057: Player::CleanupsBeforeDelete(bool) (OS_NS_Thread.inl:3519)
by 0xD0E2FA: WorldSession::LogoutPlayer(bool) (WorldSession.cpp:527)
by 0xC66D34: WorldSession::HandleLogoutRequestOpcode(WorldPacket&) (MiscHandler.cpp:403)
by 0xD0EA82: WorldSession::Update(unsigned int, PacketFilter&) (WorldSession.cpp:312)
by 0xD9AD66: World::UpdateSessions(unsigned int) (World.cpp:2615)
by 0xD9BEC4: World::Update(unsigned int) (World.cpp:1978)
by 0xA035E5: WorldRunnable::run() (WorldRunnable.cpp:60)
by 0xEC8D39: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:183)
by 0x55D7555: ACE_OS_Thread_Adapter::invoke() (OS_Thread_Adapter.cpp:103)
by 0x6622B4F: start_thread (pthread_create.c:304)
Address 0x1884bb08 is 56 bytes inside a block of size 104 free'd
at 0x4C279DC: operator delete(void*) (vg_replace_malloc.c:457)
by 0xC9D533: InstanceSaveManager::RemoveInstanceSave(unsigned int) (InstanceSaveMgr.cpp:159)
by 0xC9E826: InstanceSave::UnloadIfEmpty() (InstanceSaveMgr.cpp:238)
by 0xB2003E: Player::CleanupsBeforeDelete(bool) (InstanceSaveMgr.h:84)
by 0xD0E2FA: WorldSession::LogoutPlayer(bool) (WorldSession.cpp:527)
by 0xC66D34: WorldSession::HandleLogoutRequestOpcode(WorldPacket&) (MiscHandler.cpp:403)
by 0xD0EA82: WorldSession::Update(unsigned int, PacketFilter&) (WorldSession.cpp:312)
by 0xD9AD66: World::UpdateSessions(unsigned int) (World.cpp:2615)
by 0xD9BEC4: World::Update(unsigned int) (World.cpp:1978)
by 0xA035E5: WorldRunnable::run() (WorldRunnable.cpp:60)
by 0xEC8D39: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:183)
by 0x55D7555: ACE_OS_Thread_Adapter::invoke() (OS_Thread_Adapter.cpp:103)
m_MonthlyQuestChanged was initialized only when loading a Player from DB and left uninitialized when creating a new Player.
Valgrind log:
Conditional jump or move depends on uninitialised value(s)
at 0x1148E2A: Player::_SaveMonthlyQuestStatus(Trinity::AutoPtr<Transaction, ACE_Thread_Mutex>&) (Player.cpp:19694)
by 0x1146510: Player::SaveToDB(bool) (Player.cpp:19191)
by 0x14F5D5C: WorldSession::HandleCharCreateCallback(Trinity::AutoPtr<PreparedResultSet, ACE_Thread_Mutex>, CharacterCreateInfo*) (CharacterHandler.cpp:660)
Closes#10620
Signed-off-by: Nay <dnpd.dd@gmail.com>
New column in account table is a base32 of token key bytes,
coincidentally it is the same format Google's Authenticator Android app uses.
If you want that to work, set system time on server correctly and use ntpd.
Closes#10527
Signed-off-by: Nay <dnpd.dd@gmail.com>
Increment the reference count of m_task in Thread::start() before spawning the actual Thread that will execute the task, otherwise the thread might finish, decRef the task and delete it.
Valgrind log of the issue:
Invalid read of size 8
at 0x1314CAD: ACE_Atomic_Op_GCC<long>::operator++() (Atomic_Op_GCC_T.inl:34)
by 0x15933FB: ACE_Based::Runnable::incReference() (Threading.h:36)
by 0x1592D2D: ACE_Based::Thread::start() (Threading.cpp:136)
by 0x1592C37: ACE_Based::Thread::Thread(ACE_Based::Runnable*) (Threading.cpp:111)
by 0xF6C463: Master::Run() (Master.cpp:195)
by 0xF725D0: main (Main.cpp:142)
Address 0x26137278 is 8 bytes inside a block of size 24 free'd
at 0x4C2B59C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0xF67FDB: RARunnable::~RARunnable() (RARunnable.cpp:55)
by 0x1593441: ACE_Based::Runnable::decReference() (Threading.h:40)
by 0x1592E92: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:186)
by 0x515EA35: ACE_OS_Thread_Adapter::invoke() (in /usr/lib/libACE-6.0.3.so)
by 0x5F19F8D: start_thread (pthread_create.c:311)
by 0x6A46E1C: clone (clone.S:113)
Closes#10619
Initialized UpdateMask::_bits to NULL in all constructors.
UpdateMask(UpdateMask const& right) constructor sets the field count with SetCount() method before any field initialization. This means that SetCount() will call delete[] on the uninitialized _bits pointer field, leading to undefined behavior.
Remove mutex from BigNumber class - it didn't do what it was advertised to do - consider using the "locked" array outside of the function in which it was "locked".
