[PR #2232] [MERGED] Fix heap read after free in UnmapMemoryImpl #2582

New issue

Closed

opened 2026-02-27 22:00:29 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 22:00:29 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/shadps4-emu/shadPS4/pull/2232
Author: @hspir404
Created: 1/24/2025
Status: ✅ Merged
Merged: 1/24/2025
Merged by: @georgemoralis

Base: main ← Head: fix-unmap-memory-stale-read

📝 Commits (1)

595078d Fix stale heap read in UnmapMemoryImpl

📊 Changes

1 file changed (+3 additions, -2 deletions)

View changed files

📝 src/core/memory.cpp (+3 -2)

📄 Description

This doesn't fix any known behavior, but it fixes a read after free.

new_it can become invalidated in MergeAdjacent, and the known safe iterator is returned from the function. The old code was discarding that new iterator, and continuing to access memory of the (potentially merged and potentially deleted) data.

The read of vma.prot was hanging my debugger (w/ the aggressive debug assertion settings I had enabled in Application Verifier).

I'm not sure what significance the readonly_file variable/parameter has here, but it had a chance of being inaccurate before this change.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/shadps4-emu/shadPS4/pull/2232 **Author:** [@hspir404](https://github.com/hspir404) **Created:** 1/24/2025 **Status:** ✅ Merged **Merged:** 1/24/2025 **Merged by:** [@georgemoralis](https://github.com/georgemoralis) **Base:** `main` ← **Head:** `fix-unmap-memory-stale-read` --- ### 📝 Commits (1) - [`595078d`](https://github.com/shadps4-emu/shadPS4/commit/595078d856f454fb34c01d0ce85c12ebbf6e7788) Fix stale heap read in UnmapMemoryImpl ### 📊 Changes **1 file changed** (+3 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/core/memory.cpp` (+3 -2) </details> ### 📄 Description This doesn't fix any known behavior, but it fixes a read after free. `new_it` can become invalidated in `MergeAdjacent`, and the known safe iterator is returned from the function. The old code was discarding that new iterator, and continuing to access memory of the (potentially merged and potentially deleted) data. The read of `vma.prot` was hanging my debugger (w/ the aggressive debug assertion settings I had enabled in Application Verifier). I'm not sure what significance the `readonly_file` variable/parameter has here, but it had a chance of being inaccurate before this change. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>