From 770f69d4e69b03e7ef19b550b6747bdbc86db04a Mon Sep 17 00:00:00 2001
From: Shauren <shauren.trinity@gmail.com>
Date: Tue, 1 Oct 2013 22:06:39 +0200
Subject: Core/Vehicles: Fixed calling Vehicle::Uninstall on freed memory

Valgrind log:
    ==7723== Invalid read of size 8
    ==7723==    at 0x10753CE: Vehicle::GetBase() const (Vehicle.h:51)
    ==7723==    by 0x1072449: Vehicle::Uninstall() (Vehicle.cpp:159)
    ==7723==    by 0x10B1E3C: Unit::RemoveVehicleKit() (Unit.cpp:15946)
    ==7723==    by 0x10A8F32: Unit::RemoveFromWorld() (Unit.cpp:13441)
    ==7723==    by 0x11A4703: Creature::RemoveFromWorld() (Creature.cpp:203)
    ==7723==    by 0x11B9AB7: TempSummon::RemoveFromWorld() (TemporarySummon.cpp:279)
    ==7723==    by 0x11B9C6C: Minion::RemoveFromWorld() (TemporarySummon.cpp:308)
    ==7723==    by 0x10A917C: Unit::CleanupBeforeRemoveFromMap(bool) (Unit.cpp:13482)
    ==7723==    by 0x10A926C: Unit::CleanupsBeforeDelete(bool) (Unit.cpp:13504)
    ==7723==    by 0x12DBB89: Map::AddObjectToRemoveList(WorldObject*) (Map.cpp:2108)
    ==7723==    by 0x10F4556: WorldObject::AddObjectToRemoveList() (Object.cpp:2140)
    ==7723==    by 0x11B99C5: TempSummon::UnSummon(unsigned int) (TemporarySummon.cpp:256)
    ==7723==  Address 0x3bd20530 is 64 bytes inside a block of size 168 free'd
    ==7723==    at 0x4C2B59C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==7723==    by 0x1071FD3: Vehicle::~Vehicle() (Vehicle.cpp:66)
    ==7723==    by 0x10B1E71: Unit::RemoveVehicleKit() (Unit.cpp:15947)
    ==7723==    by 0x10A8F32: Unit::RemoveFromWorld() (Unit.cpp:13441)
    ==7723==    by 0x11A4703: Creature::RemoveFromWorld() (Creature.cpp:203)
    ==7723==    by 0x11B9AB7: TempSummon::RemoveFromWorld() (TemporarySummon.cpp:279)
    ==7723==    by 0x11B9C6C: Minion::RemoveFromWorld() (TemporarySummon.cpp:308)
    ==7723==    by 0x10A917C: Unit::CleanupBeforeRemoveFromMap(bool) (Unit.cpp:13482)
    ==7723==    by 0x10A926C: Unit::CleanupsBeforeDelete(bool) (Unit.cpp:13504)
    ==7723==    by 0x12DBB89: Map::AddObjectToRemoveList(WorldObject*) (Map.cpp:2108)
    ==7723==    by 0x10F4556: WorldObject::AddObjectToRemoveList() (Object.cpp:2140)
    ==7723==    by 0x11B99C5: TempSummon::UnSummon(unsigned int) (TemporarySummon.cpp:256)
---
 src/server/game/Entities/Unit/Unit.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/server/game/Entities/Unit/Unit.cpp b/src/server/game/Entities/Unit/Unit.cpp
index c34768c9851..7dccb471eae 100644
--- a/src/server/game/Entities/Unit/Unit.cpp
+++ b/src/server/game/Entities/Unit/Unit.cpp
@@ -15943,11 +15943,12 @@ void Unit::RemoveVehicleKit()
     if (!m_vehicleKit)
         return;
 
-    m_vehicleKit->Uninstall();
-    delete m_vehicleKit;
-
+    Vehicle* vehicle = m_vehicleKit;
     m_vehicleKit = NULL;
 
+    vehicle->Uninstall();
+    delete vehicle;
+
     m_updateFlag &= ~UPDATEFLAG_VEHICLE;
     m_unitTypeMask &= ~UNIT_MASK_VEHICLE;
     RemoveFlag(UNIT_NPC_FLAGS, UNIT_NPC_FLAG_SPELLCLICK);
-- 
cgit v1.2.3