From 1bcff874c52aca3134cee636178ab5d6272fef58 Mon Sep 17 00:00:00 2001
From: Simon Howard
Date: Sun, 26 Apr 2015 18:55:43 -0400
Subject: Don't read currentthinker->next after Z_Free().

Save the next pointer in the P_RunThinkers() loop when iterating through
thinkers, so that if the current thinker is freed we can still advance
to the next thinker without dereferencing freed memory.
---
 src/doom/p_tick.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src/doom')

diff --git a/src/doom/p_tick.c b/src/doom/p_tick.c
index 22893500..c933cfe9 100644
--- a/src/doom/p_tick.c
+++ b/src/doom/p_tick.c
@@ -93,24 +93,26 @@ void P_AllocateThinker (thinker_t*	thinker)
 //
 void P_RunThinkers (void)
 {
-    thinker_t*	currentthinker;
+    thinker_t *currentthinker, *nextthinker;
 
     currentthinker = thinkercap.next;
     while (currentthinker != &thinkercap)
     {
+        nextthinker = currentthinker->next;
+
 	if ( currentthinker->function.acv == (actionf_v)(-1) )
 	{
 	    // time to remove it
 	    currentthinker->next->prev = currentthinker->prev;
 	    currentthinker->prev->next = currentthinker->next;
-	    Z_Free (currentthinker);
+	    Z_Free(currentthinker);
 	}
 	else
 	{
 	    if (currentthinker->function.acp1)
 		currentthinker->function.acp1 (currentthinker);
 	}
-	currentthinker = currentthinker->next;
+	currentthinker = nextthinker;
     }
 }
 
-- 
cgit v1.2.3