InventoryManager: Disallow resizing or deleting inventory lists that are in use (#13360)

Naive solution to prevent InventoryList UAF and OOB ItemStack access caused by shrink/clear operations on InventoryLists within callbacks of an inventory action. Co-authored-by: Desour <ds.desour@proton.me>
2025-06-27 16:36:03 +00:00 · 2023-04-22 17:42:36 +02:00 · 2023-04-22 17:42:36 +02:00 · 0fb6dbab36
commit 0fb6dbab36
parent 4158b72971
3 changed files with 54 additions and 0 deletions
--- a/src/inventorymanager.cpp
+++ b/src/inventorymanager.cpp
@ -278,6 +278,9 @@ void IMoveAction::apply(InventoryManager *mgr, ServerActiveObject *player, IGame
 		return;
 	}

+	auto list_from_lock = list_from->resizeLock();
+	auto list_to_lock = list_to->resizeLock();
+
 	if (move_somewhere) {
 		s16 old_to_i = to_i;
 		u16 old_count = count;
@ -570,6 +573,7 @@ void IMoveAction::apply(InventoryManager *mgr, ServerActiveObject *player, IGame
 	/*
 		Report move to endpoints
 	*/
+	list_to_lock.reset();

 	// Source = destination => move
 	if (from_inv == to_inv) {
@ -683,6 +687,8 @@ void IDropAction::apply(InventoryManager *mgr, ServerActiveObject *player, IGame
 		return;
 	}

+	auto list_from_lock = list_from->resizeLock();
+
 	/*
 		Do not handle rollback if inventory is player's
 	*/
@ -763,6 +769,7 @@ void IDropAction::apply(InventoryManager *mgr, ServerActiveObject *player, IGame
 	/*
 		Report drop to endpoints
 	*/
+	list_from_lock.reset();

 	switch (from_inv.type) {
 	case InventoryLocation::DETACHED:
@ -879,6 +886,10 @@ void ICraftAction::apply(InventoryManager *mgr,
 		return;
 	}

+	auto list_craft_lock       = list_craft->resizeLock();
+	auto list_craftresult_lock = list_craftresult->resizeLock();
+	auto list_main_lock        = list_main->resizeLock();
+
 	ItemStack crafted;
 	ItemStack craftresultitem;
 	int count_remaining = count;