From f2ac3aec94abd197c54a5906953f1ce3ba4e98b4 Mon Sep 17 00:00:00 2001
From: Pokechu22 <Pokechu022@gmail.com>
Date: Mon, 20 Feb 2023 18:31:30 -0800
Subject: [PATCH] IOS/ES: Fix crash when deleting tickets

This broke formatting the system memory; see https://bugs.dolphin-emu.org/issues/13176. After calling ticket.DeleteTicket(), ticket.m_bytes was 0-length, but calling ticket.IsV1Ticket() still attempted to read from m_bytes.

This was introduced in 2fd9852ca89e4f07f6231ec3ddab5656f2b7856c, although it didn't actually cause a crash until 929fba08e733ceb02e51cbeb684a50103865e2da.
---
 Source/Core/Core/IOS/ES/TitleManagement.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Source/Core/Core/IOS/ES/TitleManagement.cpp b/Source/Core/Core/IOS/ES/TitleManagement.cpp
index c07442262886..13884d5628b2 100644
--- a/Source/Core/Core/IOS/ES/TitleManagement.cpp
+++ b/Source/Core/Core/IOS/ES/TitleManagement.cpp
@@ -580,15 +580,19 @@ ReturnCode ESDevice::DeleteTicket(const u8* ticket_view)
   if (!ticket.IsValid())
     return FS_ENOENT;
 
+  const bool was_v1_ticket = ticket.IsV1Ticket();
+  const std::string ticket_path =
+      was_v1_ticket ? Common::GetV1TicketFileName(title_id) : Common::GetTicketFileName(title_id);
+
   const u64 ticket_id = Common::swap64(ticket_view + offsetof(ES::TicketView, ticket_id));
   ticket.DeleteTicket(ticket_id);
 
   const std::vector<u8>& new_ticket = ticket.GetBytes();
-  const std::string ticket_path = ticket.IsV1Ticket() ? Common::GetV1TicketFileName(title_id) :
-                                                        Common::GetTicketFileName(title_id);
 
   if (!new_ticket.empty())
   {
+    ASSERT(ticket.IsValid());
+    ASSERT(ticket.IsV1Ticket() == was_v1_ticket);
     const auto file = fs->OpenFile(PID_KERNEL, PID_KERNEL, ticket_path, FS::Mode::ReadWrite);
     if (!file || !file->Write(new_ticket.data(), new_ticket.size()))
       return ES_EIO;