From 6a304a82b11d0be767dd9c5ef9e207df9f7f7173 Mon Sep 17 00:00:00 2001
From: Shauren <shauren.trinity@gmail.com>
Date: Wed, 23 Aug 2023 11:03:52 +0200
Subject: Core/Units: Fixed possible use after free in ThreatManager

Closes #28830

(cherry picked from commit 3e3968b63c4192b766de69c8f4744adba406c94b)
---
 src/server/game/Combat/ThreatManager.cpp | 10 ++++++----
 src/server/game/Combat/ThreatManager.h   |  4 ++--
 2 files changed, 8 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/server/game/Combat/ThreatManager.cpp b/src/server/game/Combat/ThreatManager.cpp
index bf859907bec..1789341bac0 100644
--- a/src/server/game/Combat/ThreatManager.cpp
+++ b/src/server/game/Combat/ThreatManager.cpp
@@ -19,6 +19,7 @@
 #include "Creature.h"
 #include "CreatureAI.h"
 #include "CreatureGroups.h"
+#include "MapUtils.h"
 #include "MotionMaster.h"
 #include "Player.h"
 #include "TemporarySummon.h"
@@ -83,7 +84,7 @@ void ThreatReference::UpdateOffline()
     {
         _online = ShouldBeSuppressed() ? ONLINE_STATE_SUPPRESSED : ONLINE_STATE_ONLINE;
         HeapNotifyIncreased();
-        _mgr.RegisterForAIUpdate(this);
+        _mgr.RegisterForAIUpdate(GetVictim()->GetGUID());
     }
 }
 
@@ -656,11 +657,12 @@ ThreatReference const* ThreatManager::ReselectVictim()
 void ThreatManager::ProcessAIUpdates()
 {
     CreatureAI* ai = ASSERT_NOTNULL(_owner->ToCreature())->AI();
-    std::vector<ThreatReference const*> v(std::move(_needsAIUpdate)); // _needsAIUpdate is now empty in case this triggers a recursive call
+    std::vector<ObjectGuid> v(std::move(_needsAIUpdate)); // _needsAIUpdate is now empty in case this triggers a recursive call
     if (!ai)
         return;
-    for (ThreatReference const* ref : v)
-        ai->JustStartedThreateningMe(ref->GetVictim());
+    for (ObjectGuid const& guid : v)
+        if (ThreatReference const* ref = Trinity::Containers::MapGetValuePtr(_myThreatListEntries, guid))
+            ai->JustStartedThreateningMe(ref->GetVictim());
 }
 
 // returns true if a is LOWER on the threat list than b
diff --git a/src/server/game/Combat/ThreatManager.h b/src/server/game/Combat/ThreatManager.h
index 8cc792b0c1f..b78a2e59b37 100644
--- a/src/server/game/Combat/ThreatManager.h
+++ b/src/server/game/Combat/ThreatManager.h
@@ -204,8 +204,8 @@ class TC_GAME_API ThreatManager
         // AI notifies are delayed to ensure we are in a consistent state before we call out to arbitrary logic
         // threat references might register themselves here when ::UpdateOffline() is called - MAKE SURE THIS IS PROCESSED JUST BEFORE YOU EXIT THREATMANAGER LOGIC
         void ProcessAIUpdates();
-        void RegisterForAIUpdate(ThreatReference const* ref) { _needsAIUpdate.push_back(ref); }
-        std::vector<ThreatReference const*> _needsAIUpdate;
+        void RegisterForAIUpdate(ObjectGuid const& guid) { _needsAIUpdate.push_back(guid); }
+        std::vector<ObjectGuid> _needsAIUpdate;
 
         // picks a new victim - called from ::Update periodically
         void UpdateVictim();
-- 
cgit v1.2.3