fix: uaf in safe references (#4165)

* Fixes a uaf in safe references * style(autofix.ci): automated formatting --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
cataclysmbnteam · Jan 27, 2024 · 05a7e9e · 05a7e9e
1 parent 80fddc4
commit 05a7e9e
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/src/safe_reference.h b/src/safe_reference.h
@@ -154,6 +154,7 @@ class safe_reference
                 } else {
                     rec->mem_count--;
                     rec = rec->target.redirect;
+                    rec->mem_count++;
                 }
             }
         }
@@ -368,13 +369,12 @@ class safe_reference
             if( sec_rec->id == ID_NONE ) {
                 sec_rec->id = REDIRECTED_MASK;
                 sec_rec->target.redirect = pri_rec;
-            }
-
-            //They both have an id
-            if( pri_rec->id != ID_NONE && sec_rec->id != ID_NONE ) {
+                pri_rec->mem_count++;
+            } else {
                 //This is the worse case, we actually need a redirect
                 sec_rec->id = sec_rec->id | REDIRECTED_MASK;
                 sec_rec->target.redirect = pri_rec;
+                pri_rec->mem_count++;
             }
         }