From cf72f7cc5cf13607dd7353b8d940d56679b6956b Mon Sep 17 00:00:00 2001
From: Shauren <shauren.trinity@gmail.com>
Date: Sun, 27 Oct 2013 23:05:31 +0100
Subject: Core/Vehicles: Fixed a crash caused by accessing freed memory

Valgrind log:
==1357== Invalid read of size 8
==1357== at 0x108339C: std::_Rb_tree<signed char, std::pair<signed char const, VehicleSeat>, std::_Select1st<std::pair<signed char const, VehicleSeat> >, std::less<signed char>, std::allocator<std::pair<signed char const, VehicleSeat> > >::begin() (stl_tree.h:685)
==1357== by 0x1082B23: std::map<signed char, VehicleSeat, std::less<signed char>, std::allocator<std::pair<signed char const, VehicleSeat> > >::begin() (stl_map.h:321)
==1357== by 0x1567152: VehicleAI::CheckConditions(unsigned int) (CombatAI.cpp:330)
==1357== by 0x1566EE5: VehicleAI::UpdateAI(unsigned int) (CombatAI.cpp:285)
==1357== by 0x11A8FB3: Creature::Update(unsigned int) (Creature.cpp:543)
==1357== by 0x11BC1A2: TempSummon::Update(unsigned int) (TemporarySummon.cpp:47)
==1357== by 0x12E8194: Trinity::ObjectUpdater::Visit(GridRefManager<Creature>&) (GridNotifiersImpl.h:45)
==1357== by 0x12F31BD: void VisitorHelper<Trinity::ObjectUpdater, Creature>(Trinity::ObjectUpdater&, ContainerMapList<Creature>&) (TypeContainerVisitor.h:64)
==1357== by 0x12F2CCB: void VisitorHelper<Trinity::ObjectUpdater, Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > >(Trinity::ObjectUpdater&, ContainerMapList<TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > >&) (TypeContainerVisitor.h:70)
==1357== by 0x12F251F: void VisitorHelper<Trinity::ObjectUpdater, GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > >(Trinity::ObjectUpdater&, ContainerMapList<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >&) (TypeContainerVisitor.h:71)
==1357== by 0x12F1BA5: void VisitorHelper<Trinity::ObjectUpdater, TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >(Trinity::ObjectUpdater&, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >&) (TypeContainerVisitor.h:94)
==1357== by 0x12F0DDD: TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >::Visit(TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >&) (TypeContainerVisitor.h:105)
==1357== by 0x12EF5A0: void Grid<Player, TypeList<Player, TypeList<Creature, TypeList<Corpse, TypeList<DynamicObject, TypeNull> > > >, TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >::Visit<Trinity::ObjectUpdater>(TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >&) (Grid.h:91)
==1357== by 0x12ED766: void NGrid<8u, Player, TypeList<Player, TypeList<Creature, TypeList<Corpse, TypeList<DynamicObject, TypeNull> > > >, TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >::VisitGrid<Trinity::ObjectUpdater, TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > >(unsigned int, unsigned int, TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >&) (NGrid.h:157)
==1357== by 0x12EA2D3: void Map::Visit<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >(Cell const&, TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >&) (Map.h:701)
==1357== by 0x12DCD84: Map::VisitNearbyCellsOf(WorldObject*, TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<GameObject, TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > > > >&, TypeContainerVisitor<Trinity::ObjectUpdater, TypeMapContainer<TypeList<Player, TypeList<Creature, TypeList<Corpse, TypeList<DynamicObject, TypeNull> > > > > >&) (Map.cpp:604)
==1357== by 0x12DD045: Map::Update(unsigned int) (Map.cpp:646)
==1357== by 0x1520E03: MapUpdateRequest::call() (MapUpdater.cpp:54)
==1357== by 0x1596958: DelayExecutor::svc() (DelayExecutor.cpp:52)
==1357== by 0x5184E56: ACE_Task_Base::svc_run(void*) (in /usr/lib/libACE-6.0.3.so)
==1357== Address 0x2a849600 is 32 bytes inside a block of size 168 free'd
==1357== at 0x4C2BADC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1357== by 0x107F309: Vehicle::~Vehicle() (Vehicle.cpp:66)
==1357== by 0x10BE0D2: Unit::RemoveVehicleKit() (Unit.cpp:15949)
==1357== by 0x10B52CA: Unit::RemoveFromWorld() (Unit.cpp:13440)
==1357== by 0x11A7D73: Creature::RemoveFromWorld() (Creature.cpp:204)
==1357== by 0x11BCBAA: TempSummon::RemoveFromWorld() (TemporarySummon.cpp:279)
==1357== by 0x11BCD5E: Minion::RemoveFromWorld() (TemporarySummon.cpp:308)
==1357== by 0x10B5514: Unit::CleanupBeforeRemoveFromMap(bool) (Unit.cpp:13481)
==1357== by 0x10B5605: Unit::CleanupsBeforeDelete(bool) (Unit.cpp:13503)
==1357== by 0x12E3B67: Map::AddObjectToRemoveList(WorldObject*) (Map.cpp:2401)
==1357== by 0x10FCAAC: WorldObject::AddObjectToRemoveList() (Object.cpp:2138)
==1357== by 0x11BCABA: TempSummon::UnSummon(unsigned int) (TemporarySummon.cpp:256)
==1357== by 0x11BCAFA: ForcedUnsummonDelayEvent::Execute(unsigned long, unsigned int) (TemporarySummon.cpp:261)
==1357== by 0x159B665: EventProcessor::Update(unsigned int) (EventProcessor.cpp:47)
==1357== by 0x10858E2: Unit::Update(unsigned int) (Unit.cpp:318)
==1357== by 0x11A8E6C: Creature::Update(unsigned int) (Creature.cpp:519)
==1357== by 0x11BC1A2: TempSummon::Update(unsigned int) (TemporarySummon.cpp:47)
==1357== by 0x12E8194: Trinity::ObjectUpdater::Visit(GridRefManager<Creature>&) (GridNotifiersImpl.h:45)
==1357== by 0x12F31BD: void VisitorHelper<Trinity::ObjectUpdater, Creature>(Trinity::ObjectUpdater&, ContainerMapList<Creature>&) (TypeContainerVisitor.h:64)
==1357== by 0x12F2CCB: void VisitorHelper<Trinity::ObjectUpdater, Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > >(Trinity::ObjectUpdater&, ContainerMapList<TypeList<Creature, TypeList<DynamicObject, TypeList<Corpse, TypeNull> > > >&) (TypeContainerVisitor
---
 src/server/game/AI/CoreAI/CombatAI.cpp | 15 ++++++++++-----
 src/server/game/AI/CoreAI/CombatAI.h   |  1 -
 2 files changed, 10 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/server/game/AI/CoreAI/CombatAI.cpp b/src/server/game/AI/CoreAI/CombatAI.cpp
index 85088bbeff4..e08bd65c091 100644
--- a/src/server/game/AI/CoreAI/CombatAI.cpp
+++ b/src/server/game/AI/CoreAI/CombatAI.cpp
@@ -272,7 +272,7 @@ void TurretAI::UpdateAI(uint32 /*diff*/)
 //VehicleAI
 //////////////
 
-VehicleAI::VehicleAI(Creature* c) : CreatureAI(c), m_vehicle(c->GetVehicleKit()), m_IsVehicleInUse(false), m_ConditionsTimer(VEHICLE_CONDITION_CHECK_TIME)
+VehicleAI::VehicleAI(Creature* c) : CreatureAI(c), m_IsVehicleInUse(false), m_ConditionsTimer(VEHICLE_CONDITION_CHECK_TIME)
 {
     LoadConditions();
     m_DoDismiss = false;
@@ -291,7 +291,9 @@ void VehicleAI::UpdateAI(uint32 diff)
             m_DoDismiss = false;
             me->SetVisible(false);
             me->DespawnOrUnsummon();
-        }else m_DismissTimer -= diff;
+        }
+        else
+            m_DismissTimer -= diff;
     }
 }
 
@@ -310,6 +312,7 @@ void VehicleAI::OnCharmed(bool apply)
     }
     else if (apply)
         m_DoDismiss = false;//in use again
+
     m_DismissTimer = VEHICLE_DISMISS_TIME;//reset timer
     m_IsVehicleInUse = apply;
 }
@@ -327,8 +330,8 @@ void VehicleAI::CheckConditions(const uint32 diff)
     {
         if (!conditions.empty())
         {
-            for (SeatMap::iterator itr = m_vehicle->Seats.begin(); itr != m_vehicle->Seats.end(); ++itr)
-                if (Unit* passenger = ObjectAccessor::GetUnit(*m_vehicle->GetBase(), itr->second.Passenger.Guid))
+            for (SeatMap::iterator itr = me->GetVehicleKit()->Seats.begin(); itr != me->GetVehicleKit()->Seats.end(); ++itr)
+                if (Unit* passenger = ObjectAccessor::GetUnit(*me, itr->second.Passenger.Guid))
                 {
                     if (Player* player = passenger->ToPlayer())
                     {
@@ -341,5 +344,7 @@ void VehicleAI::CheckConditions(const uint32 diff)
                 }
         }
         m_ConditionsTimer = VEHICLE_CONDITION_CHECK_TIME;
-    } else m_ConditionsTimer -= diff;
+    }
+    else
+        m_ConditionsTimer -= diff;
 }
diff --git a/src/server/game/AI/CoreAI/CombatAI.h b/src/server/game/AI/CoreAI/CombatAI.h
index 315ff861da9..11dfe7baed4 100644
--- a/src/server/game/AI/CoreAI/CombatAI.h
+++ b/src/server/game/AI/CoreAI/CombatAI.h
@@ -105,7 +105,6 @@ struct VehicleAI : public CreatureAI
         void OnCharmed(bool apply);
 
     private:
-        Vehicle* m_vehicle;
         bool m_IsVehicleInUse;
         void LoadConditions();
         void CheckConditions(const uint32 diff);
-- 
cgit v1.2.3