[PR #2232] [MERGED] Fix heap read after free in UnmapMemoryImpl #2582

Closed
opened 2026-02-27 22:00:29 +03:00 by kerem · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/shadps4-emu/shadPS4/pull/2232
Author: @hspir404
Created: 1/24/2025
Status: Merged
Merged: 1/24/2025
Merged by: @georgemoralis

Base: mainHead: fix-unmap-memory-stale-read


📝 Commits (1)

  • 595078d Fix stale heap read in UnmapMemoryImpl

📊 Changes

1 file changed (+3 additions, -2 deletions)

View changed files

📝 src/core/memory.cpp (+3 -2)

📄 Description

This doesn't fix any known behavior, but it fixes a read after free.

new_it can become invalidated in MergeAdjacent, and the known safe iterator is returned from the function. The old code was discarding that new iterator, and continuing to access memory of the (potentially merged and potentially deleted) data.

The read of vma.prot was hanging my debugger (w/ the aggressive debug assertion settings I had enabled in Application Verifier).

I'm not sure what significance the readonly_file variable/parameter has here, but it had a chance of being inaccurate before this change.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/shadps4-emu/shadPS4/pull/2232 **Author:** [@hspir404](https://github.com/hspir404) **Created:** 1/24/2025 **Status:** ✅ Merged **Merged:** 1/24/2025 **Merged by:** [@georgemoralis](https://github.com/georgemoralis) **Base:** `main` ← **Head:** `fix-unmap-memory-stale-read` --- ### 📝 Commits (1) - [`595078d`](https://github.com/shadps4-emu/shadPS4/commit/595078d856f454fb34c01d0ce85c12ebbf6e7788) Fix stale heap read in UnmapMemoryImpl ### 📊 Changes **1 file changed** (+3 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/core/memory.cpp` (+3 -2) </details> ### 📄 Description This doesn't fix any known behavior, but it fixes a read after free. `new_it` can become invalidated in `MergeAdjacent`, and the known safe iterator is returned from the function. The old code was discarding that new iterator, and continuing to access memory of the (potentially merged and potentially deleted) data. The read of `vma.prot` was hanging my debugger (w/ the aggressive debug assertion settings I had enabled in Application Verifier). I'm not sure what significance the `readonly_file` variable/parameter has here, but it had a chance of being inaccurate before this change. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-02-27 22:00:29 +03:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/shadPS4#2582
No description provided.