* Fix the Z_Free double-free issue (in two different ways, one ifdef'd out) that can sometimes occur on the vote screen.

* Fix a technically invalid read in D_SetupVote. * If the third map on the voting screen has a different gametype, don't interact with the buffer. * Fix the inttime 0 setting, since I was in y_inter.c and testing quick map changes.
2025-10-30 08:01:28 +00:00 · 2022-01-23 20:33:27 +00:00 · 2022-01-23 20:33:27 +00:00 · 8c3fad058d
commit 8c3fad058d
parent b30ffea49a
6 changed files with 57 additions and 23 deletions
--- a/src/d_netcmd.c
+++ b/src/d_netcmd.c
@ -2408,7 +2408,7 @@ void D_SetupVote(void)
 	UINT8 *p = buf;
 	INT32 i;
 	UINT8 secondgt = G_SometimesGetDifferentGametype();
-	INT16 votebuffer[3] = {-1,-1,-1};
+	INT16 votebuffer[4] = {-1,-1,-1, 0};

 	if ((cv_kartencore.value == 1) && (gametyperules & GTR_CIRCUIT))
 		WRITEUINT8(p, (gametype|0x80));
@ -2421,13 +2421,13 @@ void D_SetupVote(void)
 	{
 		UINT16 m;
 		if (i == 2) // sometimes a different gametype
-			m = G_RandMap(G_TOLFlag(secondgt), prevmap, false, 0, true, votebuffer);
+			m = G_RandMap(G_TOLFlag(secondgt), prevmap, ((secondgt != gametype) ? 2 : 0), 0, true, votebuffer);
 		else if (i >= 3) // unknown-random and force-unknown MAP HELL
-			m = G_RandMap(G_TOLFlag(gametype), prevmap, false, (i-2), (i < 4), votebuffer);
+			m = G_RandMap(G_TOLFlag(gametype), prevmap, 0, (i-2), (i < 4), votebuffer);
 		else
-			m = G_RandMap(G_TOLFlag(gametype), prevmap, false, 0, true, votebuffer);
+			m = G_RandMap(G_TOLFlag(gametype), prevmap, 0, 0, true, votebuffer);
 		if (i < 3)
-			votebuffer[min(i, 2)] = m; // min() is a dumb workaround for gcc 4.4 array-bounds error
+			votebuffer[i] = m; // min() is a dumb workaround for gcc 4.4 array-bounds error
 		WRITEUINT16(p, m);
 	}

--- a/src/f_finale.c
+++ b/src/f_finale.c
@ -2144,7 +2144,7 @@ void F_TitleScreenTicker(boolean run)
 		}
 		*/

-		mapname = G_BuildMapName(G_RandMap(TOL_RACE, -2, false, 0, false, NULL)+1);
+		mapname = G_BuildMapName(G_RandMap(TOL_RACE, -2, 0, 0, false, NULL)+1);

 		numstaff = 1;
 		while (numstaff < 99 && (l = W_CheckNumForName(va("%sS%02u",mapname,numstaff+1))) != LUMPERROR)
--- a/src/g_game.c
+++ b/src/g_game.c
@ -670,7 +670,7 @@ const char *G_BuildMapName(INT32 map)
 			map = gamemap-1;
 		else
 			map = prevmap;
-		map = G_RandMap(G_TOLFlag(cv_newgametype.value), map, false, 0, false, NULL)+1;
+		map = G_RandMap(G_TOLFlag(cv_newgametype.value), map, 0, 0, false, NULL)+1;
 	}

 	if (map < 100)
@ -3247,20 +3247,24 @@ static UINT32 TOLMaps(UINT32 tolflags)
  * \author Graue <graue@oceanbase.org>
  */
 static INT16 *okmaps = NULL;
-INT16 G_RandMap(UINT32 tolflags, INT16 pprevmap, boolean ignorebuffer, UINT8 maphell, boolean callagainsoon, INT16 *extbuffer)
+INT16 G_RandMap(UINT32 tolflags, INT16 pprevmap, UINT8 ignorebuffer, UINT8 maphell, boolean callagainsoon, INT16 *extbuffer)
 {
-	INT32 numokmaps = 0;
+	UINT32 numokmaps = 0;
 	INT16 ix, bufx;
 	UINT16 extbufsize = 0;
 	boolean usehellmaps; // Only consider Hell maps in this pick

 	if (!okmaps)
+	{
+		//CONS_Printf("(making okmaps)\n");
 		okmaps = Z_Malloc(NUMMAPS * sizeof(INT16), PU_STATIC, NULL);
+	}

 	if (extbuffer != NULL)
 	{
 		bufx = 0;
-		while (extbuffer[bufx]) {
+		while (extbuffer[bufx])
+		{
 			extbufsize++; bufx++;
 		}
 	}
@ -3333,30 +3337,42 @@ tryagain:
 		{
 			if (randmapbuffer[3] == -1) // Is the buffer basically empty?
 			{
-				ignorebuffer = true; // This will probably only help in situations where there's very few maps, but it's folly not to at least try it
+				ignorebuffer = 1; // This will probably only help in situations where there's very few maps, but it's folly not to at least try it
+				//CONS_Printf("RANDMAP - ignoring buffer\n");
 				goto tryagain;
 			}

 			for (bufx = 3; bufx < NUMMAPS; bufx++) // Let's clear all but the three most recent maps...
 				randmapbuffer[bufx] = -1;
+			//CONS_Printf("RANDMAP - emptying randmapbuffer\n");
 			goto tryagain;
 		}

 		if (maphell) // Any wiggle room to loosen our restrictions here?
 		{
+			//CONS_Printf("RANDMAP -maphell decrement\n");
 			maphell--;
 			goto tryagain;
 		}

+		//CONS_Printf("RANDMAP - defaulting to map01\n");
 		ix = 0; // Sorry, none match. You get MAP01.
-		for (bufx = 0; bufx < NUMMAPS+1; bufx++)
-			randmapbuffer[bufx] = -1; // if we're having trouble finding a map we should probably clear it
+		if (ignorebuffer == 1)
+		{
+			//CONS_Printf("(emptying randmapbuffer entirely)\n");
+			for (bufx = 0; bufx < NUMMAPS; bufx++)
+				randmapbuffer[bufx] = -1; // if we're having trouble finding a map we should probably clear it
+		}
 	}
 	else
+	{
+		//CONS_Printf("RANDMAP - %d maps available to grab\n", numokmaps);
 		ix = okmaps[M_RandomKey(numokmaps)];
+	}

 	if (!callagainsoon)
 	{
+		//CONS_Printf("(freeing okmaps)\n");
 		Z_Free(okmaps);
 		okmaps = NULL;
 	}
@ -3366,7 +3382,7 @@ tryagain:

 void G_AddMapToBuffer(INT16 map)
 {
-	INT16 bufx, refreshnum = max(0, (INT32)TOLMaps(G_TOLFlag(gametype))-3);
+	INT16 bufx, refreshnum = max(0, TOLMaps(G_TOLFlag(gametype))-3);

 	// Add the map to the buffer.
 	for (bufx = NUMMAPS-1; bufx > 0; bufx--)
@ -3612,7 +3628,7 @@ static void G_DoCompleted(void)
 		}
 		else if (cv_advancemap.value == 2) // Go to random map.
 		{
-			nextmap = G_RandMap(G_TOLFlag(gametype), prevmap, false, 0, false, NULL);
+			nextmap = G_RandMap(G_TOLFlag(gametype), prevmap, 0, 0, false, NULL);
 		}
 	}

--- a/src/g_game.h
+++ b/src/g_game.h
@ -254,7 +254,7 @@ FUNCMATH INT32 G_TicsToMilliseconds(tic_t tics);
 // Don't split up TOL handling
 UINT32 G_TOLFlag(INT32 pgametype);

-INT16 G_RandMap(UINT32 tolflags, INT16 pprevmap, boolean ignorebuffer, UINT8 maphell, boolean callagainsoon, INT16 *extbuffer);
+INT16 G_RandMap(UINT32 tolflags, INT16 pprevmap, UINT8 ignorebuffer, UINT8 maphell, boolean callagainsoon, INT16 *extbuffer);
 void G_AddMapToBuffer(INT16 map);

 #endif
--- a/src/m_menu.c
+++ b/src/m_menu.c
@ -8846,7 +8846,7 @@ static void M_StartServer(INT32 choice)
 		G_StopMetalDemo();

 	if (!cv_nextmap.value)
-		CV_SetValue(&cv_nextmap, G_RandMap(G_TOLFlag(cv_newgametype.value), -1, false, 0, false, NULL)+1);
+		CV_SetValue(&cv_nextmap, G_RandMap(G_TOLFlag(cv_newgametype.value), -1, 0, 0, false, NULL)+1);

 	if (cv_maxplayers.value < ssplayers+1)
 		CV_SetValue(&cv_maxplayers, ssplayers+1);
--- a/src/y_inter.c
+++ b/src/y_inter.c
@ -1066,7 +1066,7 @@ void Y_StartIntermission(void)
 	else
 	{
 		if (cv_inttime.value == 0)
-			timer = 0;
+			timer = 1;
 		else if (demo.playback && !multiplayer) // Override inttime (which is pulled from the replay anyway
 			timer = 10*TICRATE;
 		else
@ -1810,6 +1810,8 @@ void Y_EndVote(void)
 //
 static void Y_UnloadVoteData(void)
 {
+	UINT8 i;
+
 	voteclient.loaded = false;

 	if (rendermode != render_soft)
@ -1825,11 +1827,27 @@ static void Y_UnloadVoteData(void)
 	UNLOAD(randomlvl);
 	UNLOAD(rubyicon);

-	UNLOAD(levelinfo[4].pic);
-	UNLOAD(levelinfo[3].pic);
-	UNLOAD(levelinfo[2].pic);
-	UNLOAD(levelinfo[1].pic);
-	UNLOAD(levelinfo[0].pic);
+	// to prevent double frees...
+	for (i = 0; i < 5; i++)
+	{
+	// I went to all the trouble of doing this,
+	// but literally nowhere else frees level pics.
+#if 0
+		UINT8 j;
+
+		if (!levelinfo[i].pic)
+			continue;
+
+		for (j = i+1; j < 5; j++)
+		{
+			if (levelinfo[j].pic == levelinfo[i].pic)
+				levelinfo[j].pic = NULL;
+		}
+		UNLOAD(levelinfo[i].pic);
+#else
+		CLEANUP(levelinfo[i].pic);
+#endif
+	}
 }

 //