Loot: fix 'use after free'.

Loot objects have ownership of their LootItem objects, and also keep track of any associated GroupLootRoll objects. A GroupLootRoll object in turn references the LootItem the roll is about, and its destructor may still use the LootItem. So when a Loot object is destructed, it can't delete its LootItem objects as long as any GroupLootRoll objects are still around that may reference/use them! Fixes cmangos/issues#3860.
cmangos · Feb 17, 2025 · 9a6fb1c · 9a6fb1c
1 parent 1ad7478
commit 9a6fb1c
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/game/Loot/LootMgr.cpp b/src/game/Loot/LootMgr.cpp
@@ -2243,12 +2243,17 @@ void Loot::GetLootItemsListFor(Player* player, LootItemList& lootList)
 Loot::~Loot()
 {
     SendReleaseForAll();
+
+    // Stop any ongoing group loot rolls.
+    m_roll.clear();
+
     for (auto& m_lootItem : m_lootItems)
         delete m_lootItem;
 }
 
 void Loot::Clear()
 {
+    m_roll.clear();
     for (auto& m_lootItem : m_lootItems)
         delete m_lootItem;
     m_lootItems.clear();
@@ -2257,7 +2262,6 @@ void Loot::Clear()
     m_ownerSet.clear();
     m_masterOwnerGuid.Clear();
     m_currentLooterGuid.Clear();
-    m_roll.clear();
     m_maxEnchantSkill = 0;
     m_haveItemOverThreshold = false;
     m_isChecked = false;