From 5003a7e311e2f3467d146434b8b709e0986edfe2 Mon Sep 17 00:00:00 2001 From: rubidium Date: Mon, 5 Jul 2010 21:07:31 +0000 Subject: [PATCH] (svn r20082) -Fix [FS#3899]: reading deleted memory when selecting a NewGRF in the content download window of which the data has not been acquired from the content server. The crash would occur after the content server's reply was processed and the ContentInfo object was replaced with another. --- src/network/network_content.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/network/network_content.cpp b/src/network/network_content.cpp index 0625865933..f70f0e7246 100644 --- a/src/network/network_content.cpp +++ b/src/network/network_content.cpp @@ -132,8 +132,16 @@ DEF_CONTENT_RECEIVE_COMMAND(Client, PACKET_CONTENT_SERVER_INFO) if (StrEmpty(ci->name)) strecpy(ci->name, ici->name, lastof(ci->name)); if (ici->IsSelected()) ci->state = ici->state; - delete ici; - *iter = ci; + /* + * As ici might be selected by the content window we cannot delete that. + * However, we want to keep most of the values of ci, except the values + * we (just) already preserved. As there are already allocated blobs of + * memory and more may be added, we cannot simply copy ci to ici as that + * might cause a leak of memory. As such we need to swap the data and + * then delete the memory we allocated here. + */ + Swap(*ici, *ci); + delete ci; this->OnReceiveContentInfo(ci); return true;