Core/Vehicles: Fixed a crash caused by accessing freed memory

Valgrind log: ==1357== Invalid read of size 8 ==1357== at 0x108339C: std::_Rb_tree<signed char, std::pair<signed char const, VehicleSeat>, std::_Select1st<std::pair<signed char const, VehicleSeat> >, std::less<signed char>, std::allocator<std::pair<signed char const, VehicleSeat> > >::begin() (stl_tree.h:685) ==1357== by 0x1082B23: std::map<signed char, VehicleSeat, std::less<signed char>, std::allocator<std::pair<signed char const, VehicleSeat> > >::begin() (stl_map.h:321) ==1357== by 0x1567152: VehicleAI::CheckConditions(unsigned int) (CombatAI.cpp:330) ==1357== by 0x1566EE5: VehicleAI::UpdateAI(unsigned int) (CombatAI.cpp:285) ==1357== by 0x11A8FB3: Creature::Update(unsigned int) (Creature.cpp:543) ==1357== by 0x11BC1A2: TempSummon::Update(unsigned int) (TemporarySummon.cpp:47) ==1357== by 0x12E8194: Trinity::ObjectUpdater::Visit(GridRefManager<Creature>&) (GridNotifiersImpl.h:45) ==1357== by 0x12F31BD: void VisitorHelper<Trinity::ObjectUpdater, Creature>(Trinity::ObjectUpdater&, ContainerMapList<Creature>&) (TypeContainerVisitor.h:64) ==1357== by 0x12F2CCB: void VisitorHelper<Trinity::ObjectUpdater, Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > >(Trinity::ObjectUpdater&, ContainerMapList<TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > >&) (TypeContainerVisitor.h:70) ==1357== by 0x12F251F: void VisitorHelper<Trinity::ObjectUpdater, GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > >(Trinity::ObjectUpdater&, ContainerMapList<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >&) (TypeContainerVisitor.h:71) ==1357== by 0x12F1BA5: void VisitorHelper<Trinity::ObjectUpdater, TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >(Trinity::ObjectUpdater&, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >&) (TypeContainerVisitor.h:94) ==1357== by 0x12F0DDD: TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >::Visit(TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >&) (TypeContainerVisitor.h:105) ==1357== by 0x12EF5A0: void Grid<Player, TypeList<Player, TypeList<Creature, TypeList<Corpse, TypeList<DynamicObject, TypeNull> > > >, TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >::Visit<Trinity::ObjectUpdater>(TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >&) (Grid.h:91) ==1357== by 0x12ED766: void NGrid<8u, Player, TypeList<Player, TypeList<Creature, TypeList<Corpse, TypeList<DynamicObject, TypeNull> > > >, TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >::VisitGrid<Trinity::ObjectUpdater, TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >(unsigned int, unsigned int, TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >&) (NGrid.h:157) ==1357== by 0x12EA2D3: void Map::Visit<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >(Cell const&, TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >&) (Map.h:701) ==1357== by 0x12DCD84: Map::VisitNearbyCellsOf(WorldObject*, TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >&, TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<Player, TypeList<Creature, TypeList<Corpse, TypeList<DynamicObject, TypeNull> > > > > >&) (Map.cpp:604) ==1357== by 0x12DD045: Map::Update(unsigned int) (Map.cpp:646) ==1357== by 0x1520E03: MapUpdateRequest::call() (MapUpdater.cpp:54) ==1357== by 0x1596958: DelayExecutor::svc() (DelayExecutor.cpp:52) ==1357== by 0x5184E56: ACE_Task_Base::svc_run(void*) (in /usr/lib/libACE-6.0.3.so) ==1357== Address 0x2a849600 is 32 bytes inside a block of size 168 free'd ==1357== at 0x4C2BADC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1357== by 0x107F309: Vehicle::~Vehicle() (Vehicle.cpp:66) ==1357== by 0x10BE0D2: Unit::RemoveVehicleKit() (Unit.cpp:15949) ==1357== by 0x10B52CA: Unit::RemoveFromWorld() (Unit.cpp:13440) ==1357== by 0x11A7D73: Creature::RemoveFromWorld() (Creature.cpp:204) ==1357== by 0x11BCBAA: TempSummon::RemoveFromWorld() (TemporarySummon.cpp:279) ==1357== by 0x11BCD5E: Minion::RemoveFromWorld() (TemporarySummon.cpp:308) ==1357== by 0x10B5514: Unit::CleanupBeforeRemoveFromMap(bool) (Unit.cpp:13481) ==1357== by 0x10B5605: Unit::CleanupsBeforeDelete(bool) (Unit.cpp:13503) ==1357== by 0x12E3B67: Map::AddObjectToRemoveList(WorldObject*) (Map.cpp:2401) ==1357== by 0x10FCAAC: WorldObject::AddObjectToRemoveList() (Object.cpp:2138) ==1357== by 0x11BCABA: TempSummon::UnSummon(unsigned int) (TemporarySummon.cpp:256) ==1357== by 0x11BCAFA: ForcedUnsummonDelayEvent::Execute(unsigned long, unsigned int) (TemporarySummon.cpp:261) ==1357== by 0x159B665: EventProcessor::Update(unsigned int) (EventProcessor.cpp:47) ==1357== by 0x10858E2: Unit::Update(unsigned int) (Unit.cpp:318) ==1357== by 0x11A8E6C: Creature::Update(unsigned int) (Creature.cpp:519) ==1357== by 0x11BC1A2: TempSummon::Update(unsigned int) (TemporarySummon.cpp:47) ==1357== by 0x12E8194: Trinity::ObjectUpdater::Visit(GridRefManager<Creature>&) (GridNotifiersImpl.h:45) ==1357== by 0x12F31BD: void VisitorHelper<Trinity::ObjectUpdater, Creature>(Trinity::ObjectUpdater&, ContainerMapList<Creature>&) (TypeContainerVisitor.h:64) ==1357== by 0x12F2CCB: void VisitorHelper<Trinity::ObjectUpdater, Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > >(Trinity::ObjectUpdater&, ContainerMapList<TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > >&) (TypeContainerVisitor
author: Shauren <shauren.trinity@gmail.com> 2013-10-27 23:05:31 +0100
committer: Shauren <shauren.trinity@gmail.com> 2013-10-27 23:05:31 +0100
commit: cf72f7cc5cf13607dd7353b8d940d56679b6956b (patch)
tree: 549832a7aeb17276ab3030d32a0034c754554ac6 /src
parent: 29570076d5b575814368d6aa3f7c53b675aa1752 (diff)
2 files changed, 10 insertions, 6 deletions
diff --git a/src/server/game/AI/CoreAI/CombatAI.cpp b/src/server/game/AI/CoreAI/CombatAI.cpp
index 85088bbeff4..e08bd65c091 100644
--- a/src/server/game/AI/CoreAI/CombatAI.cpp
+++ b/src/server/game/AI/CoreAI/CombatAI.cpp
@@ -272,7 +272,7 @@ void TurretAI::UpdateAI(uint32 /*diff*/)
 //VehicleAI
 //////////////
 
-VehicleAI::VehicleAI(Creature* c) : CreatureAI(c), m_vehicle(c->GetVehicleKit()), m_IsVehicleInUse(false), m_ConditionsTimer(VEHICLE_CONDITION_CHECK_TIME)
+VehicleAI::VehicleAI(Creature* c) : CreatureAI(c), m_IsVehicleInUse(false), m_ConditionsTimer(VEHICLE_CONDITION_CHECK_TIME)
 {
     LoadConditions();
     m_DoDismiss = false;
@@ -291,7 +291,9 @@ void VehicleAI::UpdateAI(uint32 diff)
             m_DoDismiss = false;
             me->SetVisible(false);
             me->DespawnOrUnsummon();
-        }else m_DismissTimer -= diff;
+        }
+        else
+            m_DismissTimer -= diff;
     }
 }
 
@@ -310,6 +312,7 @@ void VehicleAI::OnCharmed(bool apply)
     }
     else if (apply)
         m_DoDismiss = false;//in use again
+
     m_DismissTimer = VEHICLE_DISMISS_TIME;//reset timer
     m_IsVehicleInUse = apply;
 }
@@ -327,8 +330,8 @@ void VehicleAI::CheckConditions(const uint32 diff)
     {
         if (!conditions.empty())
         {
-            for (SeatMap::iterator itr = m_vehicle->Seats.begin(); itr != m_vehicle->Seats.end(); ++itr)
-                if (Unit* passenger = ObjectAccessor::GetUnit(*m_vehicle->GetBase(), itr->second.Passenger.Guid))
+            for (SeatMap::iterator itr = me->GetVehicleKit()->Seats.begin(); itr != me->GetVehicleKit()->Seats.end(); ++itr)
+                if (Unit* passenger = ObjectAccessor::GetUnit(*me, itr->second.Passenger.Guid))
                 {
                     if (Player* player = passenger->ToPlayer())
                     {
@@ -341,5 +344,7 @@ void VehicleAI::CheckConditions(const uint32 diff)
                 }
         }
         m_ConditionsTimer = VEHICLE_CONDITION_CHECK_TIME;
-    } else m_ConditionsTimer -= diff;
+    }
+    else
+        m_ConditionsTimer -= diff;
 }
diff --git a/src/server/game/AI/CoreAI/CombatAI.h b/src/server/game/AI/CoreAI/CombatAI.h
index 315ff861da9..11dfe7baed4 100644
--- a/src/server/game/AI/CoreAI/CombatAI.h
+++ b/src/server/game/AI/CoreAI/CombatAI.h
@@ -105,7 +105,6 @@ struct VehicleAI : public CreatureAI
         void OnCharmed(bool apply);
 
     private:
-        Vehicle* m_vehicle;
         bool m_IsVehicleInUse;
         void LoadConditions();
         void CheckConditions(const uint32 diff);
author	Shauren <shauren.trinity@gmail.com>	2013-10-27 23:05:31 +0100
committer	Shauren <shauren.trinity@gmail.com>	2013-10-27 23:05:31 +0100
commit	cf72f7cc5cf13607dd7353b8d940d56679b6956b (patch)
tree	549832a7aeb17276ab3030d32a0034c754554ac6 /src
parent	29570076d5b575814368d6aa3f7c53b675aa1752 (diff)