From 05a7e9e3f647cf77c2782f8f24b05a8d37117ccc Mon Sep 17 00:00:00 2001
From: joveeater <joveasarus@gmail.com>
Date: Sat, 27 Jan 2024 10:39:58 +0000
Subject: [PATCH] fix: uaf in safe references (#4165)

* Fixes a uaf in safe references

* style(autofix.ci): automated formatting

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
---
 src/safe_reference.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/safe_reference.h b/src/safe_reference.h
index 7334885bc67..552aeb6e300 100644
--- a/src/safe_reference.h
+++ b/src/safe_reference.h
@@ -154,6 +154,7 @@ class safe_reference
                 } else {
                     rec->mem_count--;
                     rec = rec->target.redirect;
+                    rec->mem_count++;
                 }
             }
         }
@@ -368,13 +369,12 @@ class safe_reference
             if( sec_rec->id == ID_NONE ) {
                 sec_rec->id = REDIRECTED_MASK;
                 sec_rec->target.redirect = pri_rec;
-            }
-
-            //They both have an id
-            if( pri_rec->id != ID_NONE && sec_rec->id != ID_NONE ) {
+                pri_rec->mem_count++;
+            } else {
                 //This is the worse case, we actually need a redirect
                 sec_rec->id = sec_rec->id | REDIRECTED_MASK;
                 sec_rec->target.redirect = pri_rec;
+                pri_rec->mem_count++;
             }
         }
 
-- 
2.43.0