[jak2] fix use-after-free bug in nav enemies (#3240)

Fixes #3153
open-goal · Dec 3, 2023 · be6a6de · be6a6de
1 parent 974f593
commit be6a6de
Show file tree

Hide file tree

Showing 13 changed files with 100 additions and 60 deletions.
diff --git a/goal_src/jak2/engine/nav/nav-enemy.gc b/goal_src/jak2/engine/nav/nav-enemy.gc
@@ -2598,9 +2598,11 @@ This commonly includes things such as:
           (t9-0)
           )
       )
-    (let ((v1-4 (-> self nav)))
-      (logclear! (-> v1-4 shape nav-flags) (nav-flags has-extra-sphere))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-4 (-> self nav)))
+        (logclear! (-> v1-4 shape nav-flags) (nav-flags has-extra-sphere))
+        ))
     0
     )
   :code (behavior ()

diff --git a/goal_src/jak2/engine/target/mech/grunt-mech.gc b/goal_src/jak2/engine/target/mech/grunt-mech.gc
@@ -683,9 +683,11 @@
       (set! (-> v1-1 prim-core collide-as) (-> self root backup-collide-as))
       (set! (-> v1-1 prim-core collide-with) (-> self root backup-collide-with))
       )
-    (let ((v1-2 (-> self nav)))
-      (logclear! (-> v1-2 shape nav-flags) (nav-flags has-extra-sphere))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-2 (-> self nav)))
+        (logclear! (-> v1-2 shape nav-flags) (nav-flags has-extra-sphere))
+        ))
     0
     (logior! (-> self root nav-flags) (nav-flags has-root-sphere))
     )

diff --git a/goal_src/jak2/levels/castle/boss/castle-baron.gc b/goal_src/jak2/levels/castle/boss/castle-baron.gc
@@ -2218,14 +2218,18 @@ For example for an elevator pre-compute the distance between the first and last
     )
   :exit (behavior ()
     (set! (-> self next-shooting-frame) 200)
-    (let ((v1-1 (-> self nav)))
-      (set! (-> v1-1 target-speed) 122880.0)
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-1 (-> self nav)))
+        (set! (-> v1-1 target-speed) 122880.0)
+        ))
     0
     (set! (-> *krew-boss-nav-enemy-info* run-travel-speed) 122880.0)
-    (let ((v1-5 (-> self nav)))
-      (set! (-> v1-5 sphere-mask) (the-as uint #x800f8))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-5 (-> self nav)))
+        (set! (-> v1-5 sphere-mask) (the-as uint #x800f8))
+        ))
     0
     (if (logtest? (enemy-flag enemy-flag43) (-> self enemy-flags))
         (logior! (-> self nav flags) (nav-control-flag update-heading-from-facing))
@@ -2997,9 +3001,11 @@ For example for an elevator pre-compute the distance between the first and last
           (t9-0)
           )
       )
-    (let ((v1-4 (-> self nav)))
-      (set! (-> v1-4 sphere-mask) (the-as uint #x800f8))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-4 (-> self nav)))
+        (set! (-> v1-4 sphere-mask) (the-as uint #x800f8))
+        ))
     0
     )
   :trans (behavior ()

diff --git a/goal_src/jak2/levels/castle/roboguard-level.gc b/goal_src/jak2/levels/castle/roboguard-level.gc
@@ -368,9 +368,11 @@
     )
   :exit (behavior ()
     (logclear! (-> self nav flags) (nav-control-flag output-sphere-hash))
-    (let ((v1-2 (-> self nav)))
-      (logclear! (-> v1-2 shape nav-flags) (nav-flags has-extra-sphere))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-2 (-> self nav)))
+        (logclear! (-> v1-2 shape nav-flags) (nav-flags has-extra-sphere))
+        ))
     0
     )
   :code (behavior ()

diff --git a/goal_src/jak2/levels/city/kiddogescort/crocesc-states.gc b/goal_src/jak2/levels/city/kiddogescort/crocesc-states.gc
@@ -601,9 +601,11 @@
     (set! (-> self vehicle-handle) (the-as handle #f))
     (logclear! (-> self bot-flags) (bot-flags bf16))
     (logclear! (-> self focus-status) (focus-status pilot-riding pilot))
-    (let ((v1-5 (-> self nav)))
-      (logclear! (-> v1-5 shape nav-flags) (nav-flags has-extra-sphere))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-5 (-> self nav)))
+        (logclear! (-> v1-5 shape nav-flags) (nav-flags has-extra-sphere))
+        ))
     0
     (logclear! (-> self focus-status) (focus-status disable))
     (let ((v1-10 (-> self enemy-flags)))

diff --git a/goal_src/jak2/levels/city/kiddogescort/kidesc-states.gc b/goal_src/jak2/levels/city/kiddogescort/kidesc-states.gc
@@ -551,9 +551,11 @@
     (set! (-> self vehicle-handle) (the-as handle #f))
     (logclear! (-> self bot-flags) (bot-flags bf16))
     (logclear! (-> self focus-status) (focus-status pilot-riding pilot))
-    (let ((v1-11 (-> self nav)))
-      (logclear! (-> v1-11 shape nav-flags) (nav-flags has-extra-sphere))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-11 (-> self nav)))
+        (logclear! (-> v1-11 shape nav-flags) (nav-flags has-extra-sphere))
+        ))
     0
     (logclear! (-> self focus-status) (focus-status disable))
     (let ((v1-16 (-> self enemy-flags)))

diff --git a/goal_src/jak2/levels/city/traffic/citizen/civilian.gc b/goal_src/jak2/levels/city/traffic/citizen/civilian.gc
@@ -1092,9 +1092,11 @@
       (set! (-> v1-5 prim-core collide-with) (-> self root backup-collide-with))
       )
     (logior! (-> self root nav-flags) (nav-flags has-root-sphere))
-    (let ((v1-9 (-> self nav)))
-      (set! (-> v1-9 sphere-mask) (the-as uint #x800fe))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-9 (-> self nav)))
+        (set! (-> v1-9 sphere-mask) (the-as uint #x800fe))
+        ))
     0
     )
   :trans (behavior ()
@@ -1170,9 +1172,11 @@
       (set! (-> v1-5 prim-core collide-with) (-> self root backup-collide-with))
       )
     (logior! (-> self root nav-flags) (nav-flags has-root-sphere))
-    (let ((v1-9 (-> self nav)))
-      (set! (-> v1-9 sphere-mask) (the-as uint #x800fe))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-9 (-> self nav)))
+        (set! (-> v1-9 sphere-mask) (the-as uint #x800fe))
+        ))
     0
     )
   :trans (behavior ()
@@ -1594,9 +1598,11 @@
     0
     )
   :exit (behavior ()
-    (let ((v1-0 (-> self nav)))
-      (set! (-> v1-0 sphere-mask) (the-as uint #x800fe))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-0 (-> self nav)))
+        (set! (-> v1-0 sphere-mask) (the-as uint #x800fe))
+        ))
     0
     (logclear! (-> self flags) (citizen-flag persistent))
     )

diff --git a/goal_src/jak2/levels/common/enemy/fodder/fodder.gc b/goal_src/jak2/levels/common/enemy/fodder/fodder.gc
@@ -580,13 +580,17 @@
     0
     )
   :exit (behavior ()
-    (let ((v1-0 (-> self nav)))
-      (set! (-> v1-0 target-speed) (-> self enemy-info run-travel-speed))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-0 (-> self nav)))
+        (set! (-> v1-0 target-speed) (-> self enemy-info run-travel-speed))
+        ))
     0
-    (let ((v1-2 (-> self nav)))
-      (set! (-> v1-2 turning-acceleration) (-> self enemy-info run-turning-acceleration))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-2 (-> self nav)))
+        (set! (-> v1-2 turning-acceleration) (-> self enemy-info run-turning-acceleration))
+        ))
     0
     (fodder-method-181 self #f)
     (if (logtest? (-> self enemy-flags) (enemy-flag check-water))

diff --git a/goal_src/jak2/levels/common/enemy/metalmonk.gc b/goal_src/jak2/levels/common/enemy/metalmonk.gc
@@ -553,13 +553,17 @@
           (t9-0)
           )
       )
-    (let ((v1-4 (-> self nav)))
-      (set! (-> v1-4 max-rotation-rate) (-> self enemy-info maximum-rotation-rate))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-4 (-> self nav)))
+        (set! (-> v1-4 max-rotation-rate) (-> self enemy-info maximum-rotation-rate))
+        ))
     0
-    (let ((v1-6 (-> self nav)))
-      (set! (-> v1-6 turning-acceleration) (-> self enemy-info run-turning-acceleration))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-6 (-> self nav)))
+        (set! (-> v1-6 turning-acceleration) (-> self enemy-info run-turning-acceleration))
+        ))
     0
     )
   :code (behavior ()
@@ -725,9 +729,11 @@
     (logclear! (-> self enemy-flags) (enemy-flag actor-pause-backup))
     (metalmonk-method-180 self #f)
     (nav-enemy-method-168 self)
-    (let ((v1-6 (-> self nav)))
-      (set! (-> v1-6 target-speed) (-> self enemy-info run-travel-speed))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-6 (-> self nav)))
+        (set! (-> v1-6 target-speed) (-> self enemy-info run-travel-speed))
+        ))
     0
     (if (logtest? (-> self enemy-flags) (enemy-flag check-water))
         (logior! (-> self focus-status) (focus-status dangerous))

diff --git a/goal_src/jak2/levels/common/enemy/spyder.gc b/goal_src/jak2/levels/common/enemy/spyder.gc
@@ -1008,9 +1008,11 @@
     )
   :exit (behavior ()
     (logclear! (-> self enemy-flags) (enemy-flag actor-pause-backup))
-    (let ((v1-2 (-> self nav)))
-      (set! (-> v1-2 max-rotation-rate) (-> *spyder-nav-enemy-info* maximum-rotation-rate))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-2 (-> self nav)))
+        (set! (-> v1-2 max-rotation-rate) (-> *spyder-nav-enemy-info* maximum-rotation-rate))
+        ))
     0
     )
   :trans (behavior ()

diff --git a/goal_src/jak2/levels/common/entities/spydroid.gc b/goal_src/jak2/levels/common/entities/spydroid.gc
@@ -914,9 +914,11 @@
   :exit (behavior ()
     (logclear! (-> self enemy-flags) (enemy-flag actor-pause-backup))
     (nav-enemy-method-168 self)
-    (let ((v1-4 (-> self nav)))
-      (set! (-> v1-4 target-speed) (-> self enemy-info run-travel-speed))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-4 (-> self nav)))
+        (set! (-> v1-4 target-speed) (-> self enemy-info run-travel-speed))
+        ))
     0
     (if (logtest? (-> self enemy-flags) (enemy-flag check-water))
         (logior! (-> self focus-status) (focus-status dangerous))

diff --git a/goal_src/jak2/levels/mountain/rhino.gc b/goal_src/jak2/levels/mountain/rhino.gc
@@ -1282,9 +1282,11 @@
       (set! (-> v1-1 speed) 0.0)
       )
     0
-    (let ((v1-3 (-> self nav)))
-      (set! (-> v1-3 target-speed) (-> self enemy-info walk-travel-speed))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-3 (-> self nav)))
+        (set! (-> v1-3 target-speed) (-> self enemy-info walk-travel-speed))
+        ))
     0
     (set! (-> self in-stop-run) #f)
     )

diff --git a/goal_src/jak2/levels/nest/mantis.gc b/goal_src/jak2/levels/nest/mantis.gc
@@ -748,9 +748,11 @@
     )
   :exit (behavior ()
     (change-to (nav-mesh-from-res-tag (-> self entity) 'nav-mesh-actor 0) self)
-    (let ((v1-2 (-> self nav)))
-      (set! (-> v1-2 max-rotation-rate) (-> self enemy-info maximum-rotation-rate))
-      )
+    ;; og:preserve-this fix potential use-after-free bug
+    (if (-> self nav)
+      (let ((v1-2 (-> self nav)))
+        (set! (-> v1-2 max-rotation-rate) (-> self enemy-info maximum-rotation-rate))
+        ))
     0
     )
   :trans (behavior ()