From 8d43d2bafc2e2c42e51c82d0526f2c9c0fd79f53 Mon Sep 17 00:00:00 2001 From: Shauren Date: Tue, 22 Aug 2023 19:34:21 +0200 Subject: Core/Movement: Fixed use after free in WaypointMovementGenerator Closes #29274 --- .../Movement/MovementGenerators/WaypointMovementGenerator.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/server/game/Movement/MovementGenerators/WaypointMovementGenerator.cpp b/src/server/game/Movement/MovementGenerators/WaypointMovementGenerator.cpp index 6e05644f3c8..65181a09ac1 100755 --- a/src/server/game/Movement/MovementGenerators/WaypointMovementGenerator.cpp +++ b/src/server/game/Movement/MovementGenerators/WaypointMovementGenerator.cpp @@ -240,13 +240,16 @@ void WaypointMovementGenerator::OnArrived(Creature* owner) return; ASSERT(_currentNode < _path->nodes.size(), "WaypointMovementGenerator::OnArrived: tried to reference a node id (%u) which is not included in path (%u)", _currentNode, _path->id); - WaypointNode const &waypoint = _path->nodes.at(_currentNode); + WaypointNode const& waypoint = _path->nodes[_currentNode]; if (waypoint.delay) { owner->ClearUnitState(UNIT_STATE_ROAMING_MOVE); _nextMoveTime.Reset(waypoint.delay); } + // scripts can invalidate current path, store what we need + uint32 waypointId = waypoint.id; + uint32 pathId = _path->id; if (waypoint.eventId && urand(0, 99) < waypoint.eventChance) { TC_LOG_DEBUG("maps.script", "Creature movement start script {} at point {} for {}.", waypoint.eventId, _currentNode, owner->GetGUID().ToString()); @@ -258,10 +261,10 @@ void WaypointMovementGenerator::OnArrived(Creature* owner) if (CreatureAI* AI = owner->AI()) { AI->MovementInform(WAYPOINT_MOTION_TYPE, _currentNode); - AI->WaypointReached(waypoint.id, _path->id); + AI->WaypointReached(waypointId, pathId); } - owner->UpdateCurrentWaypointInfo(waypoint.id, _path->id); + owner->UpdateCurrentWaypointInfo(waypointId, pathId); } void WaypointMovementGenerator::StartMove(Creature* owner, bool relaunch/* = false*/) -- cgit v1.2.3