[GEN][ZH] Fix heap-use-after-free in ScoreScaleUpTransition::draw and dangling pointers to GameWindow in WindowTransitions (#848)

Author: Mauller

Generals/Code/GameEngine/Include/GameClient/GameWindow.h

@@ -65,6 +65,7 @@
 class GameWindow;
 class WindowLayout;
 class GameFont;
+class TransitionWindow;
 struct GameWindowEditData;
 
 ///////////////////////////////////////////////////////////////////////////////
@@ -240,6 +241,9 @@ friend class GameWindowManager;
 	/// draw border for this window only, NO child windows or anything
 	virtual void winDrawBorder( void ) = 0;
 
+	void linkTransitionWindow( TransitionWindow* transitionWindow );
+	void unlinkTransitionWindow( TransitionWindow* transitionWindow );
+
 	Int winSetWindowId( Int id );  ///< set id for this window
 	Int winGetWindowId( void );  ///< return window id for this window
 	Int winSetSize( Int width, Int height );  ///< set size
@@ -380,6 +384,8 @@ friend class GameWindowManager;
 	void freeImages( void ) { }
 	Bool isEnabled( void );  ///< see if we and our parents are enabled
 
+	void unlinkFromTransitionWindows( void );
+
 	void normalizeWindowRegion( void );  ///< put UL corner in window region.lo
 
 	GameWindow *findFirstLeaf( void );  ///< return first leaf of branch
@@ -422,6 +428,9 @@ friend class GameWindowManager;
 	// game window edit data for the GUIEditor only
 	GameWindowEditData *m_editData;
 
+	// vector of window transitions that have a relation to the current GameWindow
+	std::vector<TransitionWindow*> m_transitionWindows;
+
 };  // end class GameWindow
 
 // ModalWindow ----------------------------------------------------------------

Generals/Code/GameEngine/Include/GameClient/GameWindowTransitions.h

@@ -125,6 +125,7 @@ class Transition
 
 	virtual void skip( void ) = 0;
 
+	void unlinkGameWindow(GameWindow* win) { if ( m_win == win ) m_win = NULL; }
 	Bool isFinished( void ) { return m_isFinished;	}
 	Int getFrameLength( void ){ return m_frameLength;	}
 protected:
@@ -609,7 +610,9 @@ class TransitionWindow
 	void reverse( Int totalFrames );
 	Int  getTotalFrames( void );
 	void skip( void );
-		void draw( void );
+	void draw( void );
+
+	void unlinkGameWindow( GameWindow* win );
 
 // INI parsed vars
 	AsciiString m_winName;

Generals/Code/GameEngine/Source/GameClient/GUI/GameWindow.cpp

@@ -61,6 +61,7 @@
 #include "GameClient/GadgetStaticText.h"
 #include "GameClient/Mouse.h"
 #include "GameClient/SelectionXlat.h"
+#include "GameClient/GameWindowTransitions.h"
 #ifdef RTS_INTERNAL
 // for occasional debugging...
 //#pragma optimize("", off)
@@ -136,8 +137,51 @@ GameWindow::~GameWindow( void )
 		delete m_editData;
 	m_editData = NULL;
 
+	unlinkFromTransitionWindows();
+
 }  // end ~GameWindow
 
+// GameWindow::linkTransitionWindow ============================================
+//=============================================================================
+void GameWindow::linkTransitionWindow( TransitionWindow* transitionWindow )
+{
+
+	m_transitionWindows.push_back(transitionWindow);
+
+}  // end linkTransitionWindow
+
+// GameWindow::unlinkTransitionWindow =========================================
+//=============================================================================
+void GameWindow::unlinkTransitionWindow( TransitionWindow* transitionWindow )
+{
+
+	std::vector<TransitionWindow*>::iterator it = m_transitionWindows.begin();
+	while ( it != m_transitionWindows.end() )
+	{
+		if ( *it == transitionWindow )
+		{
+			*it = m_transitionWindows.back();
+			m_transitionWindows.pop_back();
+			return;
+		}
+		++it;
+	}
+
+}  // end unlinkTransitionWindow
+
+// GameWindow::unlinkFromTransitionWindows =========================================
+//=============================================================================
+void GameWindow::unlinkFromTransitionWindows( void )
+{
+
+	while ( !m_transitionWindows.empty() )
+	{
+		m_transitionWindows.back()->unlinkGameWindow(this);
+		m_transitionWindows.pop_back();
+	}
+
+}  // end unlinkFromTransitionWindows
+
 // GameWindow::normalizeWindowRegion ==========================================
 /** Puts the upper left corner in the window's region.lo field */
 //=============================================================================

Generals/Code/GameEngine/Source/GameClient/GUI/GameWindowTransitions.cpp

@@ -158,6 +158,9 @@ TransitionWindow::TransitionWindow( void )
 
 TransitionWindow::~TransitionWindow( void )
 {
+	if (m_win)
+		m_win->unlinkTransitionWindow(this);
+
 	m_win = NULL;
 	if(m_transition)
 		delete m_transition;
@@ -180,6 +183,10 @@ Bool TransitionWindow::init( void )
 	m_transition = getTransitionForStyle( m_style );
 	m_transition->init(m_win);
 
+	// TheSuperHackers @fix Mauller 15/05/2025 Link TransitionWindow to the GameWindow so the GameWindow can unlink itself when it is destroyed
+	if(m_win)
+		m_win->linkTransitionWindow(this);
+
 	return TRUE;
 }
 
@@ -218,6 +225,15 @@ void TransitionWindow::draw( void )
 		m_transition->draw();
 }
 
+void TransitionWindow::unlinkGameWindow(GameWindow* win)
+{
+	if (m_win != win)
+		return;
+
+	m_transition->unlinkGameWindow(win);
+	m_win = NULL;
+}
+
 Int TransitionWindow::getTotalFrames( void )
 {
 	if(m_transition)

Generals/Code/GameEngine/Source/GameClient/GUI/GameWindowTransitionsStyles.cpp

@@ -692,6 +692,8 @@ void FadeTransition::draw( void )
 {
 	if(!m_win)
 		return;
+	if(m_drawState <= FADETRANSITION_START || m_drawState >= FADETRANSITION_END)
+		return;
 	const Image *image = m_win->winGetEnabledImage(0);
 	switch (m_drawState) 
 	{
@@ -854,9 +856,9 @@ void ScaleUpTransition::draw( void )
 {
 	if(!m_win)
 		return;
-	const Image *image = m_win->winGetEnabledImage(0);
 	if(m_drawState <= SCALEUPTRANSITION_START || m_drawState >= SCALEUPTRANSITION_END)
 		return;
+	const Image *image = m_win->winGetEnabledImage(0);
 	Int x = m_centerPos.x - ((m_incrementSize.x * m_drawState) / 2);
 	Int y = m_centerPos.y - ((m_incrementSize.y * m_drawState) / 2);
 	Int x1 = x + m_incrementSize.x * m_drawState;
@@ -977,9 +979,9 @@ void ScoreScaleUpTransition::draw( void )
 {
 	if(!m_win)
 		return;
-	const Image *image = m_win->winGetEnabledImage(0);
 	if(m_drawState <= SCORESCALEUPTRANSITION_START || m_drawState >= SCORESCALEUPTRANSITION_END)
 		return;
+	const Image *image = m_win->winGetEnabledImage(0);
 	Int x = m_centerPos.x - ((m_incrementSize.x * m_drawState) / 2);
 	Int y = m_centerPos.y - ((m_incrementSize.y * m_drawState) / 2);
 	Int x1 = x + m_incrementSize.x * m_drawState;
@@ -1094,9 +1096,9 @@ void MainMenuScaleUpTransition::draw( void )
 {
 	if(!m_win)
 		return;
-	const Image *image = m_growWin->winGetEnabledImage(0);
 	if(m_drawState <= MAINMENUSCALEUPTRANSITION_START || m_drawState >= MAINMENUSCALEUPTRANSITION_END)
 		return;
+	const Image *image = m_growWin->winGetEnabledImage(0);
 	Int x = m_pos.x + ((m_incrementPos.x * m_drawState));
 	Int y = m_pos.y + ((m_incrementPos.y * m_drawState));
 	Int x1 = x + m_size.x + ((m_incrementSize.x * m_drawState));
@@ -1214,9 +1216,9 @@ void MainMenuMediumScaleUpTransition::draw( void )
 {
 	if(!m_win)
 		return;
-	const Image *image = m_win->winGetEnabledImage(0);
 	if(m_drawState <= MAINMENUMEDIUMSCALEUPTRANSITION_START || m_drawState >= MAINMENUMEDIUMSCALEUPTRANSITION_END)
 		return;
+	const Image *image = m_win->winGetEnabledImage(0);
 	Int x = m_pos.x - ((m_incrementSize.x * m_drawState) /2);
 	Int y = m_pos.y - ((m_incrementSize.y * m_drawState) / 2);
 	Int x1 = m_pos.x + m_size.x + ((m_incrementSize.x * m_drawState) / 2);
@@ -1325,9 +1327,9 @@ void MainMenuSmallScaleDownTransition::draw( void )
 {
 	if(!m_win)
 		return;
-	const Image *image = m_win->winGetEnabledImage(0);
 	if(m_drawState <= MAINMENUSMALLSCALEDOWNTRANSITION_START || m_drawState >= MAINMENUSMALLSCALEDOWNTRANSITION_END)
 		return;
+	const Image *image = m_win->winGetEnabledImage(0);
 	Int x = m_pos.x - ((m_incrementSize.x * m_drawState) /2);
 	Int y = m_pos.y - ((m_incrementSize.y * m_drawState) / 2);
 	Int x1 = m_pos.x + m_size.x + ((m_incrementSize.x * m_drawState) / 2);
@@ -1757,7 +1759,7 @@ void ControlBarArrowTransition::reverse( void )
 
 void ControlBarArrowTransition::draw( void )
 {
-	if(m_drawState <0)
+	if(m_drawState < CONTROLBARARROWTRANSITION_START)
 		return;
 	if(m_drawState < CONTROLBARARROWTRANSITION_BEGIN_FADE)
 	{

GeneralsMD/Code/GameEngine/Include/GameClient/GameWindow.h

@@ -65,6 +65,7 @@
 class GameWindow;
 class WindowLayout;
 class GameFont;
+class TransitionWindow;
 struct GameWindowEditData;
 
 ///////////////////////////////////////////////////////////////////////////////
@@ -242,6 +243,9 @@ friend class GameWindowManager;
 	/// draw border for this window only, NO child windows or anything
 	virtual void winDrawBorder( void ) = 0;
 
+	void linkTransitionWindow( TransitionWindow* transitionWindow );
+	void unlinkTransitionWindow( TransitionWindow* transitionWindow );
+
 	Int winSetWindowId( Int id );  ///< set id for this window
 	Int winGetWindowId( void );  ///< return window id for this window
 	Int winSetSize( Int width, Int height );  ///< set size
@@ -382,6 +386,8 @@ friend class GameWindowManager;
 	void freeImages( void ) { }
 	Bool isEnabled( void );  ///< see if we and our parents are enabled
 
+	void unlinkFromTransitionWindows( void );
+
 	void normalizeWindowRegion( void );  ///< put UL corner in window region.lo
 
 	GameWindow *findFirstLeaf( void );  ///< return first leaf of branch
@@ -424,6 +430,9 @@ friend class GameWindowManager;
 	// game window edit data for the GUIEditor only
 	GameWindowEditData *m_editData;
 
+	// vector of window transitions that have a relation to the current GameWindow
+	std::vector<TransitionWindow*> m_transitionWindows;
+
 };  // end class GameWindow
 
 // ModalWindow ----------------------------------------------------------------

GeneralsMD/Code/GameEngine/Include/GameClient/GameWindowTransitions.h

@@ -125,6 +125,7 @@ class Transition
 
 	virtual void skip( void ) = 0;
 
+	void unlinkGameWindow(GameWindow* win) { if ( m_win == win ) m_win = NULL; }
 	Bool isFinished( void ) { return m_isFinished;	}
 	Int getFrameLength( void ){ return m_frameLength;	}
 protected:
@@ -609,7 +610,9 @@ class TransitionWindow
 	void reverse( Int totalFrames );
 	Int  getTotalFrames( void );
 	void skip( void );
-		void draw( void );
+	void draw( void );
+
+	void unlinkGameWindow( GameWindow* win );
 
 // INI parsed vars
 	AsciiString m_winName;

GeneralsMD/Code/GameEngine/Source/GameClient/GUI/GameWindow.cpp

@@ -61,6 +61,7 @@
 #include "GameClient/GadgetStaticText.h"
 #include "GameClient/Mouse.h"
 #include "GameClient/SelectionXlat.h"
+#include "GameClient/GameWindowTransitions.h"
 #ifdef RTS_INTERNAL
 // for occasional debugging...
 //#pragma optimize("", off)
@@ -136,8 +137,51 @@ GameWindow::~GameWindow( void )
 		delete m_editData;
 	m_editData = NULL;
 
+	unlinkFromTransitionWindows();
+
 }  // end ~GameWindow
 
+// GameWindow::linkTransitionWindow ============================================
+//=============================================================================
+void GameWindow::linkTransitionWindow( TransitionWindow* transitionWindow )
+{
+
+	m_transitionWindows.push_back(transitionWindow);
+
+}  // end linkTransitionWindow
+
+// GameWindow::unlinkTransitionWindow =========================================
+//=============================================================================
+void GameWindow::unlinkTransitionWindow( TransitionWindow* transitionWindow )
+{
+
+	std::vector<TransitionWindow*>::iterator it = m_transitionWindows.begin();
+	while ( it != m_transitionWindows.end() )
+	{
+		if ( *it == transitionWindow )
+		{
+			*it = m_transitionWindows.back();
+			m_transitionWindows.pop_back();
+			return;
+		}
+		++it;
+	}
+
+}  // end unlinkTransitionWindow
+
+// GameWindow::unlinkFromTransitionWindows =========================================
+//=============================================================================
+void GameWindow::unlinkFromTransitionWindows( void )
+{
+
+	while ( !m_transitionWindows.empty() )
+	{
+		m_transitionWindows.back()->unlinkGameWindow(this);
+		m_transitionWindows.pop_back();
+	}
+
+}  // end unlinkFromTransitionWindows
+
 // GameWindow::normalizeWindowRegion ==========================================
 /** Puts the upper left corner in the window's region.lo field */
 //=============================================================================

GeneralsMD/Code/GameEngine/Source/GameClient/GUI/GameWindowTransitions.cpp

@@ -158,6 +158,9 @@ TransitionWindow::TransitionWindow( void )
 
 TransitionWindow::~TransitionWindow( void )
 {
+	if (m_win)
+		m_win->unlinkTransitionWindow(this);
+
 	m_win = NULL;
 	if(m_transition)
 		delete m_transition;
@@ -180,6 +183,10 @@ Bool TransitionWindow::init( void )
 	m_transition = getTransitionForStyle( m_style );
 	m_transition->init(m_win);
 
+	// TheSuperHackers @fix Mauller 15/05/2025 Link TransitionWindow to the GameWindow so the GameWindow can unlink itself when it is destroyed
+	if(m_win)
+		m_win->linkTransitionWindow(this);
+
 	return TRUE;
 }
 
@@ -218,6 +225,15 @@ void TransitionWindow::draw( void )
 		m_transition->draw();
 }
 
+void TransitionWindow::unlinkGameWindow(GameWindow* win)
+{
+	if (m_win != win)
+		return;
+
+	m_transition->unlinkGameWindow(win);
+	m_win = NULL;
+}
+
 Int TransitionWindow::getTotalFrames( void )
 {
 	if(m_transition)