diff options
| author | Shauren <shauren.trinity@gmail.com> | 2024-11-03 20:51:03 +0100 |
|---|---|---|
| committer | Shauren <shauren.trinity@gmail.com> | 2024-11-03 20:51:03 +0100 |
| commit | b83de81a70b580045540ed4db5627aff5edc682c (patch) | |
| tree | 7d04cd7106b10b597138ec7a0a5e103d978c0b6c /src/server/game/AuctionHouse/AuctionHouseMgr.cpp | |
| parent | 780e8884043242aecd6cdf14fa0974ba0b923a2d (diff) | |
Core/AuctionHouse: Fixed use after free
Closes #30128
Diffstat (limited to 'src/server/game/AuctionHouse/AuctionHouseMgr.cpp')
| -rw-r--r-- | src/server/game/AuctionHouse/AuctionHouseMgr.cpp | 39 |
1 files changed, 22 insertions, 17 deletions
diff --git a/src/server/game/AuctionHouse/AuctionHouseMgr.cpp b/src/server/game/AuctionHouse/AuctionHouseMgr.cpp index 09de6c3b0ef..bcc90f21ee4 100644 --- a/src/server/game/AuctionHouse/AuctionHouseMgr.cpp +++ b/src/server/game/AuctionHouse/AuctionHouseMgr.cpp @@ -1009,7 +1009,8 @@ void AuctionHouseObject::AddAuction(CharacterDatabaseTransaction trans, AuctionP sScriptMgr->OnAuctionAdd(this, addedAuction); } -void AuctionHouseObject::RemoveAuction(CharacterDatabaseTransaction trans, AuctionPosting* auction, std::map<uint32, AuctionPosting>::iterator* auctionItr /*= nullptr*/) +std::map<uint32, AuctionPosting>::node_type AuctionHouseObject::RemoveAuction(CharacterDatabaseTransaction trans, AuctionPosting* auction, + std::map<uint32, AuctionPosting>::iterator* auctionItr /*= nullptr*/) { AuctionsBucketData* bucket = auction->Bucket; @@ -1068,7 +1069,10 @@ void AuctionHouseObject::RemoveAuction(CharacterDatabaseTransaction trans, Aucti bucket->QualityMask &= static_cast<AuctionHouseFilterMask>(~(1 << (quality + 4))); } else + { + auction->Bucket = nullptr; _buckets.erase(bucket->Key); + } CharacterDatabasePreparedStatement* stmt = CharacterDatabase.GetPreparedStatement(CHAR_DEL_AUCTION); stmt->setUInt32(0, auction->Id); @@ -1084,9 +1088,9 @@ void AuctionHouseObject::RemoveAuction(CharacterDatabaseTransaction trans, Aucti Trinity::Containers::MultimapErasePair(_playerBidderAuctions, bidder, auction->Id); if (auctionItr) - *auctionItr = _itemsByAuctionId.erase(*auctionItr); + return _itemsByAuctionId.extract((*auctionItr)++); else - _itemsByAuctionId.erase(auction->Id); + return _itemsByAuctionId.extract(auction->Id); } void AuctionHouseObject::Update() @@ -1127,29 +1131,24 @@ void AuctionHouseObject::Update() continue; } + std::map<uint32, AuctionPosting>::node_type removedAuctionNode = RemoveAuction(trans, auction, &it); + auction = &removedAuctionNode.mapped(); + ///- Either cancel the auction if there was no bidder if (auction->Bidder.IsEmpty()) { - SendAuctionExpired(auction, trans); sScriptMgr->OnAuctionExpire(this, auction); - - RemoveAuction(trans, auction, &it); + SendAuctionExpired(auction, trans); } ///- Or perform the transaction else { - // Copy data before freeing AuctionPosting in auctionHouse->RemoveAuction - // Because auctionHouse->SendAuctionWon can unload items if bidder is offline - // we need to RemoveAuction before sending mails - AuctionPosting copy = *auction; - RemoveAuction(trans, auction, &it); - + sScriptMgr->OnAuctionSuccessful(this, auction); //we should send an "item sold" message if the seller is online //we send the item to the winner //we send the money to the seller - SendAuctionSold(©, nullptr, trans); - SendAuctionWon(©, nullptr, trans); - sScriptMgr->OnAuctionSuccessful(this, auction); + SendAuctionSold(auction, nullptr, trans); + SendAuctionWon(auction, nullptr, trans); } } @@ -1823,7 +1822,10 @@ void AuctionHouseObject::SendAuctionWon(AuctionPosting const* auction, Player* b { // bidder doesn't exist, delete the item for (Item* item : auction->Items) - sAuctionMgr->RemoveAItem(item->GetGUID(), true, &trans); + { + item->FSetState(ITEM_REMOVED); + item->SaveToDB(trans); + } } } @@ -1879,7 +1881,10 @@ void AuctionHouseObject::SendAuctionExpired(AuctionPosting const* auction, Chara { // owner doesn't exist, delete the item for (Item* item : auction->Items) - sAuctionMgr->RemoveAItem(item->GetGUID(), true, &trans); + { + item->FSetState(ITEM_REMOVED); + item->SaveToDB(trans); + } } } |