InventoryManager: Disallow resizing or deleting inventory lists that are in use (#13360)

Naive solution to prevent InventoryList UAF and OOB ItemStack access caused by shrink/clear operations on InventoryLists within callbacks of an inventory action. Co-authored-by: Desour <ds.desour@proton.me>
2025-07-22 17:18:39 +00:00 · 2023-04-22 17:42:36 +02:00 · 2023-04-22 17:42:36 +02:00 · 0fb6dbab36
commit 0fb6dbab36
parent 4158b72971
3 changed files with 54 additions and 0 deletions
--- a/src/inventory.h
+++ b/src/inventory.h
@ -284,6 +284,24 @@ public:
 	inline bool checkModified() const { return m_dirty; }
 	inline void setModified(bool dirty = true) { m_dirty = dirty; }

+	// Problem: C++ keeps references to InventoryList and ItemStack indices
+	// until a better solution is found, this serves as a guard to prevent side-effects
+	struct ResizeUnlocker {
+		void operator()(InventoryList *invlist)
+		{
+			invlist->m_resize_locks -= 1;
+		}
+	};
+	using ResizeLocked = std::unique_ptr<InventoryList, ResizeUnlocker>;
+
+	void checkResizeLock();
+
+	inline ResizeLocked resizeLock()
+	{
+		m_resize_locks += 1;
+		return ResizeLocked(this);
+	}
+
 private:
 	std::vector<ItemStack> m_items;
 	std::string m_name;
@ -291,6 +309,7 @@ private:
 	u32 m_width = 0;
 	IItemDefManager *m_itemdef;
 	bool m_dirty = true;
+	int m_resize_locks = 0; // Lua callback sanity
 };

 class Inventory