diff options
| author | Simon Howard | 2015-04-26 18:55:43 -0400 |
|---|---|---|
| committer | Simon Howard | 2015-04-26 18:55:43 -0400 |
| commit | 1bcff874c52aca3134cee636178ab5d6272fef58 (patch) | |
| tree | bc43085ef719d5c8fc9633e029e969bc33860abc | |
| parent | a915b13e0d0c612c12b8f54132ffa3189375dde5 (diff) | |
| download | chocolate-doom-1bcff874c52aca3134cee636178ab5d6272fef58.tar.gz chocolate-doom-1bcff874c52aca3134cee636178ab5d6272fef58.tar.bz2 chocolate-doom-1bcff874c52aca3134cee636178ab5d6272fef58.zip | |
Don't read currentthinker->next after Z_Free().
Save the next pointer in the P_RunThinkers() loop when iterating through
thinkers, so that if the current thinker is freed we can still advance
to the next thinker without dereferencing freed memory.
| -rw-r--r-- | src/doom/p_tick.c | 8 | ||||
| -rw-r--r-- | src/heretic/p_tick.c | 6 | ||||
| -rw-r--r-- | src/hexen/p_tick.c | 7 | ||||
| -rw-r--r-- | src/strife/p_tick.c | 7 |
4 files changed, 19 insertions, 9 deletions
diff --git a/src/doom/p_tick.c b/src/doom/p_tick.c index 22893500..c933cfe9 100644 --- a/src/doom/p_tick.c +++ b/src/doom/p_tick.c @@ -93,24 +93,26 @@ void P_AllocateThinker (thinker_t* thinker) // void P_RunThinkers (void) { - thinker_t* currentthinker; + thinker_t *currentthinker, *nextthinker; currentthinker = thinkercap.next; while (currentthinker != &thinkercap) { + nextthinker = currentthinker->next; + if ( currentthinker->function.acv == (actionf_v)(-1) ) { // time to remove it currentthinker->next->prev = currentthinker->prev; currentthinker->prev->next = currentthinker->next; - Z_Free (currentthinker); + Z_Free(currentthinker); } else { if (currentthinker->function.acp1) currentthinker->function.acp1 (currentthinker); } - currentthinker = currentthinker->next; + currentthinker = nextthinker; } } diff --git a/src/heretic/p_tick.c b/src/heretic/p_tick.c index c93a211f..323cc1e6 100644 --- a/src/heretic/p_tick.c +++ b/src/heretic/p_tick.c @@ -110,11 +110,13 @@ void P_AllocateThinker(thinker_t * thinker) void P_RunThinkers(void) { - thinker_t *currentthinker; + thinker_t *currentthinker, *nextthinker; currentthinker = thinkercap.next; while (currentthinker != &thinkercap) { + nextthinker = currentthinker->next; + if (currentthinker->function == (think_t) - 1) { // time to remove it currentthinker->next->prev = currentthinker->prev; @@ -126,7 +128,7 @@ void P_RunThinkers(void) if (currentthinker->function) currentthinker->function(currentthinker); } - currentthinker = currentthinker->next; + currentthinker = nextthinker; } } diff --git a/src/hexen/p_tick.c b/src/hexen/p_tick.c index 95242ccd..c58d6e82 100644 --- a/src/hexen/p_tick.c +++ b/src/hexen/p_tick.c @@ -86,11 +86,13 @@ void P_Ticker(void) static void RunThinkers(void) { - thinker_t *currentthinker; + thinker_t *currentthinker, *nextthinker; currentthinker = thinkercap.next; while (currentthinker != &thinkercap) { + nextthinker = currentthinker->next; + if (currentthinker->function == (think_t) - 1) { // Time to remove it currentthinker->next->prev = currentthinker->prev; @@ -101,7 +103,8 @@ static void RunThinkers(void) { currentthinker->function(currentthinker); } - currentthinker = currentthinker->next; + + currentthinker = nextthinker; } } diff --git a/src/strife/p_tick.c b/src/strife/p_tick.c index f4ed2711..c0dd4786 100644 --- a/src/strife/p_tick.c +++ b/src/strife/p_tick.c @@ -99,11 +99,13 @@ void P_AllocateThinker (thinker_t* thinker) // void P_RunThinkers (void) { - thinker_t* currentthinker; + thinker_t *currentthinker, *nextthinker; currentthinker = thinkercap.next; while (currentthinker != &thinkercap) { + nextthinker = currentthinker->next; + if ( currentthinker->function.acv == (actionf_v)(-1) ) { // time to remove it @@ -116,7 +118,8 @@ void P_RunThinkers (void) if (currentthinker->function.acp1) currentthinker->function.acp1 (currentthinker); } - currentthinker = currentthinker->next; + + currentthinker = nextthinker; } } |