- fixed potential access to freed memory on map loading

MapData could destruct FResourceLump objects before accessing them Loading of map .wad from .pk3 file is example of this case https://forum.zdoom.org/viewtopic.php?t=60972
ZDoom · Jun 22, 2018 · 9b4e8ef · 9b4e8ef · coelckers · Jun 22, 2018
1 parent eddb179
commit 9b4e8ef
Showing 1 changed file with 19 additions and 7 deletions.
diff --git a/src/p_setup.h b/src/p_setup.h
@@ -36,6 +36,25 @@
 struct MapData
 {
 private:
+	struct ResourceHolder
+	{
+		FResourceFile *data = nullptr;
+
+		~ResourceHolder()
+		{
+			delete data;
+		}
+
+		ResourceHolder &operator=(FResourceFile *other) { data = other; return *this; }
+		FResourceFile *operator->() { return data; }
+		operator FResourceFile *() const { return data; }
+	};
+
+	// The order of members here is important
+	// Resource should be destructed after MapLumps as readers may share FResourceLump objects
+	// For example, this is the case when map .wad is loaded from .pk3 file
+	ResourceHolder resource;
+
 	struct MapLump
 	{
 		char Name[8] = { 0 };
@@ -48,13 +67,6 @@ struct MapData
 	bool isText = false;
 	bool InWad = false;
 	int lumpnum = -1;
-	FResourceFile * resource = nullptr;
-
-	~MapData()
-	{
-		if (resource != nullptr) delete resource;
-		resource = nullptr;
-	}
 
 	/*
 	void Seek(unsigned int lumpindex)