Fix potential use-after-free with item metadata (#12729)

This fixes a use-after-free bug in the case where itemstack metadata is accessed after the itemstack has been garbage-collected.

1 files changed, 10 insertions, 7 deletions

diff --git a/src/script/lua_api/l_itemstackmeta.h b/src/script/lua_api/l_itemstackmeta.h
index c3198be4f..68d2ba8fa 100644
--- a/src/script/lua_api/l_itemstackmeta.h
+++ b/src/script/lua_api/l_itemstackmeta.h
@@ -23,13 +23,13 @@ with this program; if not, write to the Free Software Foundation, Inc.,
 
 #include "lua_api/l_base.h"
 #include "lua_api/l_metadata.h"
+#include "lua_api/l_item.h"
 #include "irrlichttypes_bloated.h"
-#include "inventory.h"
 
 class ItemStackMetaRef : public MetaDataRef
 {
 private:
-	ItemStack *istack = nullptr;
+	LuaItemStack *istack;
 
 	static const char className[];
 	static const luaL_Reg methods[];
@@ -44,12 +44,12 @@ private:
 
 	void setToolCapabilities(const ToolCapabilities &caps)
 	{
-		istack->metadata.setToolCapabilities(caps);
+		istack->getItem().metadata.setToolCapabilities(caps);
 	}
 
 	void clearToolCapabilities()
 	{
-		istack->metadata.clearToolCapabilities();
+		istack->getItem().metadata.clearToolCapabilities();
 	}
 
 	// Exported functions
@@ -58,12 +58,15 @@ private:
 	// garbage collector
 	static int gc_object(lua_State *L);
 public:
-	ItemStackMetaRef(ItemStack *istack): istack(istack) {}
-	~ItemStackMetaRef() = default;
+	// takes a reference
+	ItemStackMetaRef(LuaItemStack *istack);
+	~ItemStackMetaRef();
+
+	DISABLE_CLASS_COPY(ItemStackMetaRef)
 
 	// Creates an ItemStackMetaRef and leaves it on top of stack
 	// Not callable from Lua; all references are created on the C side.
-	static void create(lua_State *L, ItemStack *istack);
+	static void create(lua_State *L, LuaItemStack *istack);
 
 	static void Register(lua_State *L);
 };