TO quote @jyrkive: "prev_def is a pointer to the defendant after the previous fight. The defendant belongs to bc, it's assigned here. And now when bc is a smart pointer, it frees the battle_context when it goes out of scope, i.e. when the loop iteration changes. In the next iteration, the stale prev_def is accessed before a new battle_context is created: use-after-free."
This commit is contained in:
Charles Dang
parent
5dd7a16133
commit
d827a326e1
1 changed files with 1 additions and 1 deletions
|
|
@ -98,6 +98,7 @@ void attack_analysis::analyze(const gamemap& map, unit_map& units,
|
|||
assert(!movements.empty());
|
||||
std::vector<std::pair<map_location,map_location> >::const_iterator m;
|
||||
|
||||
std::unique_ptr<battle_context> bc(nullptr);
|
||||
const combatant *prev_def = nullptr;
|
||||
|
||||
for (m = movements.begin(); m != movements.end(); ++m) {
|
||||
|
|
@ -115,7 +116,6 @@ void attack_analysis::analyze(const gamemap& map, unit_map& units,
|
|||
}
|
||||
|
||||
bool from_cache = false;
|
||||
std::unique_ptr<battle_context> bc;
|
||||
|
||||
// This cache is only about 99% correct, but speeds up evaluation by about 1000 times.
|
||||
// We recalculate when we actually attack.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue