Synchronize changes from 1.6 branch [ci skip]

github-actions[bot] · github-actions[bot] · commit 1a732bf08ac9 · 2025-10-18T02:40:32.000Z
c27d6b3 Fix SA crash at 0x002a65ef f17490e CEF memory leaks #2 bd7a2af CEF memory leaks #1
diff --git a/Client/cefweb/CAjaxResourceHandler.cpp b/Client/cefweb/CAjaxResourceHandler.cpp
@@ -18,6 +18,15 @@ CAjaxResourceHandler::CAjaxResourceHandler(std::vector<SString>& vecGet, std::ve
 {
 }
 
+CAjaxResourceHandler::~CAjaxResourceHandler()
+{
+    // Ensure callback is released if handler is destroyed before completion
+    if (m_callback)
+    {
+        m_callback = nullptr;
+    }
+}
+
 std::vector<SString>& CAjaxResourceHandler::GetGetData()
 {
     return m_vecGetData;
@@ -34,12 +43,18 @@ void CAjaxResourceHandler::SetResponse(const SString& data)
     m_bHasData = true;
 
     if (m_callback)
+    {
         m_callback->Continue();
+        // Release callback to prevent memory leak
+        m_callback = nullptr;
+    }
 }
 
 // CefResourceHandler implementation
 void CAjaxResourceHandler::Cancel()
 {
+    // Release callback reference on cancellation to prevent memory leak
+    m_callback = nullptr;
 }
 
 void CAjaxResourceHandler::GetResponseHeaders(CefRefPtr<CefResponse> response, int64& response_length, CefString& redirectUrl)
diff --git a/Client/cefweb/CAjaxResourceHandler.h b/Client/cefweb/CAjaxResourceHandler.h
@@ -20,6 +20,7 @@ class CAjaxResourceHandler : public CefResourceHandler, public CAjaxResourceHand
 {
 public:
     CAjaxResourceHandler(std::vector<SString>& vecGet, std::vector<SString>& vecPost, const CefString& mimeType);
+    virtual ~CAjaxResourceHandler();
 
     virtual std::vector<SString>& GetGetData() override;
     virtual std::vector<SString>& GetPostData() override;
diff --git a/Client/cefweb/CWebCore.cpp b/Client/cefweb/CWebCore.cpp
@@ -109,13 +109,22 @@ void CWebCore::DestroyWebView(CWebViewInterface* pWebViewInterface)
     CefRefPtr<CWebView> pWebView = dynamic_cast<CWebView*>(pWebViewInterface);
     if (pWebView)
     {
+        // Mark as being destroyed to prevent new events/tasks
+        pWebView->SetBeingDestroyed(true);
+        
         // Ensure that no attached events or tasks are in the queue
         RemoveWebViewEvents(pWebView.get());
         RemoveWebViewTasks(pWebView.get());
 
+        // Remove from list before closing to break reference cycles early
         m_WebViews.remove(pWebView);
-        // pWebView->Release(); // Do not release since other references get corrupted then
+        
+        // CloseBrowser will eventually trigger OnBeforeClose which clears m_pWebView
+        // This breaks the circular reference: CWebView -> CefBrowser -> CWebView
         pWebView->CloseBrowser();
+        
+        // Note: Do not call Release() - let CefRefPtr manage the lifecycle
+        // The circular reference is broken via OnBeforeClose setting m_pWebView = nullptr
     }
 }
 
@@ -164,6 +173,18 @@ void CWebCore::AddEventToEventQueue(std::function<void()> event, CWebView* pWebV
 
     std::lock_guard<std::mutex> lock(m_EventQueueMutex);
 
+    // Prevent unbounded queue growth - drop oldest events if queue is too large
+    if (m_EventQueue.size() >= MAX_EVENT_QUEUE_SIZE)
+    {
+        // Log warning even in release builds as this indicates a serious issue
+        g_pCore->GetConsole()->Printf("WARNING: Browser event queue size limit reached (%d), dropping oldest events", MAX_EVENT_QUEUE_SIZE);
+        
+        // Remove oldest 10% of events to make room
+        auto removeCount = MAX_EVENT_QUEUE_SIZE / 10;
+        for (size_t i = 0; i < removeCount && !m_EventQueue.empty(); ++i)
+            m_EventQueue.pop_front();
+    }
+
 #ifndef MTA_DEBUG
     m_EventQueue.push_back(EventEntry(event, pWebView));
 #else
@@ -215,6 +236,22 @@ void CWebCore::WaitForTask(std::function<void(bool)> task, CWebView* webView)
     std::future<void> result;
     {
         std::scoped_lock lock(m_TaskQueueMutex);
+        
+        // Prevent unbounded queue growth - if queue is too large, oldest tasks will be dropped during pulse
+        if (m_TaskQueue.size() >= MAX_TASK_QUEUE_SIZE)
+        {
+#ifdef MTA_DEBUG
+            g_pCore->GetConsole()->Printf("Warning: Task queue size limit reached (%d), task will be aborted", MAX_TASK_QUEUE_SIZE);
+#endif
+            // Must still queue the task to fulfill the future, but it will be aborted during processing
+            // Removing oldest task to make room
+            if (!m_TaskQueue.empty())
+            {
+                m_TaskQueue.front().task(true);  // Abort oldest task
+                m_TaskQueue.pop_front();
+            }
+        }
+        
         m_TaskQueue.emplace_back(TaskEntry{task, webView});
         result = m_TaskQueue.back().task.get_future();
     }
@@ -358,13 +395,39 @@ void CWebCore::AddAllowedPage(const SString& strURL, eWebFilterType filterType)
 {
     std::lock_guard<std::recursive_mutex> lock(m_FilterMutex);
 
+    // Prevent unbounded whitelist growth - remove old REQUEST entries if limit reached
+    if (m_Whitelist.size() >= MAX_WHITELIST_SIZE)
+    {
+        // Remove WEBFILTER_REQUEST entries (temporary session entries)
+        for (auto iter = m_Whitelist.begin(); iter != m_Whitelist.end();)
+        {
+            if (iter->second.second == eWebFilterType::WEBFILTER_REQUEST)
+                m_Whitelist.erase(iter++);
+            else
+                ++iter;
+        }
+    }
+
     m_Whitelist[strURL] = std::pair<bool, eWebFilterType>(true, filterType);
 }
 
 void CWebCore::AddBlockedPage(const SString& strURL, eWebFilterType filterType)
 {
     std::lock_guard<std::recursive_mutex> lock(m_FilterMutex);
 
+    // Prevent unbounded whitelist growth - remove old REQUEST entries if limit reached
+    if (m_Whitelist.size() >= MAX_WHITELIST_SIZE)
+    {
+        // Remove WEBFILTER_REQUEST entries (temporary session entries)
+        for (auto iter = m_Whitelist.begin(); iter != m_Whitelist.end();)
+        {
+            if (iter->second.second == eWebFilterType::WEBFILTER_REQUEST)
+                m_Whitelist.erase(iter++);
+            else
+                ++iter;
+        }
+    }
+
     m_Whitelist[strURL] = std::pair<bool, eWebFilterType>(false, filterType);
 }
 
diff --git a/Client/cefweb/CWebCore.h b/Client/cefweb/CWebCore.h
@@ -20,6 +20,9 @@
 #define MTA_BROWSERDATA_PATH "mta/cef/browserdata.xml"
 #define BROWSER_LIST_UPDATE_INTERVAL (24*60*60)
 #define BROWSER_UPDATE_URL "https://cef.multitheftauto.com/get.php"
+#define MAX_EVENT_QUEUE_SIZE 10000
+#define MAX_TASK_QUEUE_SIZE 1000
+#define MAX_WHITELIST_SIZE 50000
 #define GetNextSibling(hwnd) GetWindow(hwnd, GW_HWNDNEXT) // Re-define the conflicting macro
 #define GetFirstChild(hwnd) GetTopWindow(hwnd)
 
diff --git a/Client/cefweb/CWebView.cpp b/Client/cefweb/CWebView.cpp
@@ -44,8 +44,15 @@ CWebView::~CWebView()
     // Make sure we don't dead lock the CEF render thread
     ResumeCefThread();
 
-    // Ensure that CefRefPtr::~CefRefPtr doesn't try to release it twice (it has already been released in CWebView::OnBeforeClose)
-    m_pWebView = nullptr;
+    // Clean up AJAX handlers to prevent accumulation
+    m_AjaxHandlers.clear();
+
+    // Break circular reference: ensure browser reference is cleared
+    // This is to prevent memory leaks from CWebView <-> CefBrowser cycles
+    if (m_pWebView)
+    {
+        m_pWebView = nullptr;
+    }
 
     OutputDebugLine("CWebView::~CWebView");
 }
@@ -83,6 +90,9 @@ void CWebView::CloseBrowser()
     // Make sure we don't dead lock the CEF render thread
     ResumeCefThread();
 
+    // Clear AJAX handlers early to prevent late event processing
+    m_AjaxHandlers.clear();
+
     if (m_pWebView)
         m_pWebView->GetHost()->CloseBrowser(true);
 }
@@ -500,8 +510,12 @@ bool CWebView::HasAjaxHandler(const SString& strURL)
 
 void CWebView::HandleAjaxRequest(const SString& strURL, CAjaxResourceHandler* pHandler)
 {
-    auto func = std::bind(&CWebBrowserEventsInterface::Events_OnAjaxRequest, m_pEventsInterface, pHandler, strURL);
-    g_pCore->GetWebCore()->AddEventToEventQueue(func, this, "AjaxResourceRequest");
+    // Only queue event if not being destroyed to prevent UAF
+    if (!m_bBeingDestroyed)
+    {
+        auto func = std::bind(&CWebBrowserEventsInterface::Events_OnAjaxRequest, m_pEventsInterface, pHandler, strURL);
+        g_pCore->GetWebCore()->AddEventToEventQueue(func, this, "AjaxResourceRequest");
+    }
 }
 
 bool CWebView::ToggleDevTools(bool visible)
@@ -719,6 +733,8 @@ void CWebView::OnPaint(CefRefPtr<CefBrowser> browser, CefRenderHandler::PaintEle
     m_RenderData.width = width;
     m_RenderData.height = height;
     m_RenderData.dirtyRects = dirtyRects;
+    // Prevent vector capacity growth memory leak - shrink excess capacity
+    m_RenderData.dirtyRects.shrink_to_fit();
     m_RenderData.changed = true;
 
     // Wait for the main thread to handle drawing the texture
diff --git a/Client/game_sa/CVehicleSA.cpp b/Client/game_sa/CVehicleSA.cpp
@@ -1809,7 +1809,7 @@ void CVehicleSA::RecalculateSuspensionLines()
 
     DWORD       dwModel = GetModelIndex();
     CModelInfo* pModelInfo = pGame->GetModelInfo(dwModel);
-    if (pModelInfo && pModelInfo->IsMonsterTruck() || pModelInfo->IsCar())
+    if (pModelInfo && (pModelInfo->IsCar() || pModelInfo->IsMonsterTruck() || pModelInfo->IsTrailer()))
     {
         // Trains (Their trailers do as well!)
         if (pModelInfo->IsTrain() || dwModel == 571 || dwModel == 570 || dwModel == 569 || dwModel == 590)
diff --git a/Client/mods/deathmatch/logic/CClientVehicle.cpp b/Client/mods/deathmatch/logic/CClientVehicle.cpp
@@ -4300,6 +4300,11 @@ void CClientVehicle::ApplyHandling()
     if (!m_pVehicle)
         return;
 
+    // Ensure model is loaded before recalculating handling
+    CModelInfo* pModelInfo = g_pGame->GetModelInfo(GetModel());
+    if (!pModelInfo || !pModelInfo->IsLoaded())
+        return;
+
     m_pVehicle->RecalculateHandling();
 
     if (m_eVehicleType == CLIENTVEHICLE_BMX || m_eVehicleType == CLIENTVEHICLE_BIKE)
diff --git a/Client/mods/deathmatch/logic/CStaticFunctionDefinitions.cpp b/Client/mods/deathmatch/logic/CStaticFunctionDefinitions.cpp
@@ -8905,6 +8905,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha
     {
         if (SetEntryHandling(pEntry, eProperty, ucValue))
         {
+            CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());
+            if (!pModelInfo || !pModelInfo->IsLoaded())
+                return false;
+
             pVehicle->ApplyHandling();
             return true;
         }
@@ -8922,6 +8926,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha
     {
         if (SetEntryHandling(pEntry, eProperty, uiValue))
         {
+            CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());
+            if (!pModelInfo || !pModelInfo->IsLoaded())
+                return false;
+
             pVehicle->ApplyHandling();
             return true;
         }
@@ -8939,6 +8947,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha
     {
         if (SetEntryHandling(pEntry, eProperty, fValue))
         {
+            CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());
+            if (!pModelInfo || !pModelInfo->IsLoaded())
+                return false;
+
             pVehicle->ApplyHandling();
             return true;
         }
@@ -8956,6 +8968,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha
     {
         if (SetEntryHandling(pEntry, eProperty, strValue))
         {
+            CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());
+            if (!pModelInfo || !pModelInfo->IsLoaded())
+                return false;
+
             pVehicle->ApplyHandling();
             return true;
         }
@@ -8973,6 +8989,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha
     {
         if (SetEntryHandling(pEntry, eProperty, vecValue))
         {
+            CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());
+            if (!pModelInfo || !pModelInfo->IsLoaded())
+                return false;
+
             pVehicle->ApplyHandling();
             return true;
         }
@@ -9031,6 +9051,10 @@ bool CStaticFunctionDefinitions::ResetVehicleHandling(CClientVehicle* pVehicle)
             pEntry->SetSuspensionUpperLimit(pEntry->GetSuspensionLowerLimit() - 0.1f);
     }
 
+    CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());
+    if (!pModelInfo || !pModelInfo->IsLoaded())
+        return false;
+
     pVehicle->ApplyHandling();
 
     return true;
@@ -9080,6 +9104,10 @@ bool CStaticFunctionDefinitions::ResetVehicleHandlingProperty(CClientVehicle* pV
             return false;
         }
 
+        CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());
+        if (!pModelInfo || !pModelInfo->IsLoaded())
+            return false;
+
         pVehicle->ApplyHandling();
 
         return true;
diff --git a/Client/mods/deathmatch/logic/luadefs/CLuaVehicleDefs.cpp b/Client/mods/deathmatch/logic/luadefs/CLuaVehicleDefs.cpp
@@ -2518,6 +2518,15 @@ int CLuaVehicleDefs::SetVehicleHandling(lua_State* luaVM)
 
     if (!argStream.HasErrors())
     {
+        // Check if the vehicle model is loaded
+        CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());
+        if (!pModelInfo || !pModelInfo->IsLoaded())
+        {
+            m_pScriptDebugging->LogWarning(luaVM, "setVehicleHandling failed: vehicle model not loaded");
+            lua_pushboolean(luaVM, false);
+            return 1;
+        }
+
         if (argStream.NextIsString())
         {
             SString strProperty;

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,15 @@ CAjaxResourceHandler::CAjaxResourceHandler(std::vector<SString>& vecGet, std::ve`
`18`	`18`	`{`
`19`	`19`	`}`
`20`	`20`
	`21`	`+CAjaxResourceHandler::~CAjaxResourceHandler()`
	`22`	`+{`
	`23`	`+ // Ensure callback is released if handler is destroyed before completion`
	`24`	`+ if (m_callback)`
	`25`	`+ {`
	`26`	`+ m_callback = nullptr;`
	`27`	`+ }`
	`28`	`+}`
	`29`	`+`
`21`	`30`	`std::vector<SString>& CAjaxResourceHandler::GetGetData()`
`22`	`31`	`{`
`23`	`32`	`return m_vecGetData;`
`@@ -34,12 +43,18 @@ void CAjaxResourceHandler::SetResponse(const SString& data)`
`34`	`43`	`m_bHasData = true;`
`35`	`44`
`36`	`45`	`if (m_callback)`
	`46`	`+ {`
`37`	`47`	`m_callback->Continue();`
	`48`	`+ // Release callback to prevent memory leak`
	`49`	`+ m_callback = nullptr;`
	`50`	`+ }`
`38`	`51`	`}`
`39`	`52`
`40`	`53`	`// CefResourceHandler implementation`
`41`	`54`	`void CAjaxResourceHandler::Cancel()`
`42`	`55`	`{`
	`56`	`+ // Release callback reference on cancellation to prevent memory leak`
	`57`	`+ m_callback = nullptr;`
`43`	`58`	`}`
`44`	`59`
`45`	`60`	`void CAjaxResourceHandler::GetResponseHeaders(CefRefPtr<CefResponse> response, int64& response_length, CefString& redirectUrl)`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ class CAjaxResourceHandler : public CefResourceHandler, public CAjaxResourceHand`
`20`	`20`	`{`
`21`	`21`	`public:`
`22`	`22`	`CAjaxResourceHandler(std::vector<SString>& vecGet, std::vector<SString>& vecPost, const CefString& mimeType);`
	`23`	`+ virtual ~CAjaxResourceHandler();`
`23`	`24`
`24`	`25`	`virtual std::vector<SString>& GetGetData() override;`
`25`	`26`	`virtual std::vector<SString>& GetPostData() override;`
Original file line number	Diff line number	Diff line change
`@@ -1809,7 +1809,7 @@ void CVehicleSA::RecalculateSuspensionLines()`
`1809`	`1809`
`1810`	`1810`	`DWORD dwModel = GetModelIndex();`
`1811`	`1811`	`CModelInfo* pModelInfo = pGame->GetModelInfo(dwModel);`
`1812`		`- if (pModelInfo && pModelInfo->IsMonsterTruck() \|\| pModelInfo->IsCar())`
	`1812`	`+ if (pModelInfo && (pModelInfo->IsCar() \|\| pModelInfo->IsMonsterTruck() \|\| pModelInfo->IsTrailer()))`
`1813`	`1813`	`{`
`1814`	`1814`	`// Trains (Their trailers do as well!)`
`1815`	`1815`	`if (pModelInfo->IsTrain() \|\| dwModel == 571 \|\| dwModel == 570 \|\| dwModel == 569 \|\| dwModel == 590)`
Original file line number	Diff line number	Diff line change
`@@ -8905,6 +8905,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha`
`8905`	`8905`	`{`
`8906`	`8906`	`if (SetEntryHandling(pEntry, eProperty, ucValue))`
`8907`	`8907`	`{`
	`8908`	`+ CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());`
	`8909`	`+ if (!pModelInfo \|\| !pModelInfo->IsLoaded())`
	`8910`	`+ return false;`
	`8911`	`+`
`8908`	`8912`	`pVehicle->ApplyHandling();`
`8909`	`8913`	`return true;`
`8910`	`8914`	`}`
`@@ -8922,6 +8926,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha`
`8922`	`8926`	`{`
`8923`	`8927`	`if (SetEntryHandling(pEntry, eProperty, uiValue))`
`8924`	`8928`	`{`
	`8929`	`+ CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());`
	`8930`	`+ if (!pModelInfo \|\| !pModelInfo->IsLoaded())`
	`8931`	`+ return false;`
	`8932`	`+`
`8925`	`8933`	`pVehicle->ApplyHandling();`
`8926`	`8934`	`return true;`
`8927`	`8935`	`}`
`@@ -8939,6 +8947,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha`
`8939`	`8947`	`{`
`8940`	`8948`	`if (SetEntryHandling(pEntry, eProperty, fValue))`
`8941`	`8949`	`{`
	`8950`	`+ CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());`
	`8951`	`+ if (!pModelInfo \|\| !pModelInfo->IsLoaded())`
	`8952`	`+ return false;`
	`8953`	`+`
`8942`	`8954`	`pVehicle->ApplyHandling();`
`8943`	`8955`	`return true;`
`8944`	`8956`	`}`
`@@ -8956,6 +8968,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha`
`8956`	`8968`	`{`
`8957`	`8969`	`if (SetEntryHandling(pEntry, eProperty, strValue))`
`8958`	`8970`	`{`
	`8971`	`+ CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());`
	`8972`	`+ if (!pModelInfo \|\| !pModelInfo->IsLoaded())`
	`8973`	`+ return false;`
	`8974`	`+`
`8959`	`8975`	`pVehicle->ApplyHandling();`
`8960`	`8976`	`return true;`
`8961`	`8977`	`}`
`@@ -8973,6 +8989,10 @@ bool CStaticFunctionDefinitions::SetVehicleHandling(CClientVehicle* pVehicle, Ha`
`8973`	`8989`	`{`
`8974`	`8990`	`if (SetEntryHandling(pEntry, eProperty, vecValue))`
`8975`	`8991`	`{`
	`8992`	`+ CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());`
	`8993`	`+ if (!pModelInfo \|\| !pModelInfo->IsLoaded())`
	`8994`	`+ return false;`
	`8995`	`+`
`8976`	`8996`	`pVehicle->ApplyHandling();`
`8977`	`8997`	`return true;`
`8978`	`8998`	`}`
`@@ -9031,6 +9051,10 @@ bool CStaticFunctionDefinitions::ResetVehicleHandling(CClientVehicle* pVehicle)`
`9031`	`9051`	`pEntry->SetSuspensionUpperLimit(pEntry->GetSuspensionLowerLimit() - 0.1f);`
`9032`	`9052`	`}`
`9033`	`9053`
	`9054`	`+ CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());`
	`9055`	`+ if (!pModelInfo \|\| !pModelInfo->IsLoaded())`
	`9056`	`+ return false;`
	`9057`	`+`
`9034`	`9058`	`pVehicle->ApplyHandling();`
`9035`	`9059`
`9036`	`9060`	`return true;`
`@@ -9080,6 +9104,10 @@ bool CStaticFunctionDefinitions::ResetVehicleHandlingProperty(CClientVehicle* pV`
`9080`	`9104`	`return false;`
`9081`	`9105`	`}`
`9082`	`9106`
	`9107`	`+ CModelInfo* pModelInfo = g_pGame->GetModelInfo(pVehicle->GetModel());`
	`9108`	`+ if (!pModelInfo \|\| !pModelInfo->IsLoaded())`
	`9109`	`+ return false;`
	`9110`	`+`
`9083`	`9111`	`pVehicle->ApplyHandling();`
`9084`	`9112`
`9085`	`9113`	`return true;`