From c7205da58b7d7a82d86e0877f4933b0b5bfa74ca Mon Sep 17 00:00:00 2001
From: Le Philousophe
Date: Wed, 6 Mar 2019 20:57:19 +0100
Subject: CRYOMNI3D: Fix use after free when playing dialog

---
 engines/cryomni3d/dialogs_manager.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'engines/cryomni3d/dialogs_manager.cpp')

diff --git a/engines/cryomni3d/dialogs_manager.cpp b/engines/cryomni3d/dialogs_manager.cpp
index 6c1c2ac5ad..badd742120 100644
--- a/engines/cryomni3d/dialogs_manager.cpp
+++ b/engines/cryomni3d/dialogs_manager.cpp
@@ -257,6 +257,9 @@ bool DialogsManager::play(const Common::String &sequence, bool &slowStop) {
 	bool playerLabel = !strncmp(label, "JOU", 3);
 	bool didSomething = false;
 	bool finished = false;
+	/* Keep the gotoList outside the loop to avoid it being freed at the end of it and
+	 * having label possibly pointing on free memory */
+	Common::Array<DialogsManager::Goto> gotoList;
 	while (!finished) {
 		const char *actions;
 		if (playerLabel) {
@@ -284,7 +287,7 @@ bool DialogsManager::play(const Common::String &sequence, bool &slowStop) {
 			didSomething = true;
 			actions = nextLine(text);
 		}
-		Common::Array<DialogsManager::Goto> gotoList = executeAfterPlayAndBuildGotoList(actions);
+		gotoList = executeAfterPlayAndBuildGotoList(actions);
 		Common::StringArray questions;
 		bool endOfConversationFound = false;;
 		if (_ignoreNoEndOfConversation) {
-- 
cgit v1.2.3