Fix: Heap-use-after-free crash when closing profiles with active triggers#8567
Merged
vadi2 merged 1 commit intoMudlet:developmentfrom Nov 26, 2025
Conversation
|
Hey there! Thanks for helping Mudlet improve. 🌟 Test versionsYou can directly test the changes here:
No need to install anything - just unzip and run. |
vadi2
approved these changes
Nov 22, 2025
vadi2
pushed a commit
that referenced
this pull request
Nov 26, 2025
…gers (#8567) #### Brief overview of PR changes/additions Fixed a heap-use-after-free crash in TBuffer destructor by converting the raw `mTagWatchdog` pointer to `std::unique_ptr<QTimer>` and implementing proper copy constructor and copy assignment operator. #### Motivation for adding to Mudlet The crash occurred when closing a profile (e.g., using "Close Profile" menu item on Medievia MUD) that had been actively receiving data and running triggers. The issue was caused by TBuffer objects being copied without properly handling the ownership of the `mTagWatchdog` QTimer. When temporary TBuffer objects were created during copy operations (like in `TConsole::copy()`), both the original and copied instances shared the same QTimer pointer. When one instance was destroyed, it deleted the timer, leaving the other with a dangling pointer that caused a crash on subsequent destruction. AddressSanitizer trace showed: ``` ERROR: AddressSanitizer: heap-use-after-free on address 0x602000915670 READ of size 8 at 0x602000915670 thread T0 #0 in TBuffer::TBuffer()+0x88 #1 in TBuffer::TBuffer()+0x18 #2 in TMainConsole::~TMainConsole()+0x5a8 ``` The fix ensures each TBuffer instance owns its own QTimer through a unique_ptr, preventing double-deletion and use-after-free errors. #### Other info (issues closed, discussion etc) This resolves crashes that occurred during profile shutdown when the copy() Lua function was used in triggers processing incoming game data. (cherry picked from commit d56c6c2)
Member
|
Cherrypicked into release-4.20 branch. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brief overview of PR changes/additions
Fixed a heap-use-after-free crash in TBuffer destructor by converting the raw
mTagWatchdogpointer tostd::unique_ptr<QTimer>and implementing proper copy constructor and copy assignment operator.Motivation for adding to Mudlet
The crash occurred when closing a profile (e.g., using "Close Profile" menu item on Medievia MUD) that had been actively receiving data and running triggers. The issue was caused by TBuffer objects being copied without properly handling the ownership of the
mTagWatchdogQTimer. When temporary TBuffer objects were created during copy operations (like inTConsole::copy()), both the original and copied instances shared the same QTimer pointer. When one instance was destroyed, it deleted the timer, leaving the other with a dangling pointer that caused a crash on subsequent destruction.AddressSanitizer trace showed:
The fix ensures each TBuffer instance owns its own QTimer through a unique_ptr, preventing double-deletion and use-after-free errors.
Other info (issues closed, discussion etc)
This resolves crashes that occurred during profile shutdown when the copy() Lua function was used in triggers processing incoming game data.