From 5ca40984437e162bf781a36c69aa9e5bb451cfb4 Mon Sep 17 00:00:00 2001
From: rubidium <rubidium@openttd.org>
Date: Mon, 5 Jul 2010 21:07:31 +0000
Subject: (svn r20082) -Fix [FS#3899]: reading deleted memory when selecting a
 NewGRF in the content download window of which the data has not been acquired
 from the content server. The crash would occur after the content server's
 reply was processed and the ContentInfo object was replaced with another.

---
 src/network/network_content.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/network/network_content.cpp b/src/network/network_content.cpp
index 062586593..f70f0e724 100644
--- a/src/network/network_content.cpp
+++ b/src/network/network_content.cpp
@@ -132,8 +132,16 @@ DEF_CONTENT_RECEIVE_COMMAND(Client, PACKET_CONTENT_SERVER_INFO)
 			if (StrEmpty(ci->name)) strecpy(ci->name, ici->name, lastof(ci->name));
 			if (ici->IsSelected()) ci->state = ici->state;
 
-			delete ici;
-			*iter = ci;
+			/*
+			 * As ici might be selected by the content window we cannot delete that.
+			 * However, we want to keep most of the values of ci, except the values
+			 * we (just) already preserved. As there are already allocated blobs of
+			 * memory and more may be added, we cannot simply copy ci to ici as that
+			 * might cause a leak of memory. As such we need to swap the data and
+			 * then delete the memory we allocated here.
+			 */
+			Swap(*ici, *ci);
+			delete ci;
 
 			this->OnReceiveContentInfo(ci);
 			return true;
-- 
cgit v1.2.3-54-g00ecf