Steal the ownership of the string in action_if_variable to avoid use-after-free issues

MrPowerGamerBR · MrPowerGamerBR · commit 7ef2ae0065af · 2026-04-12T20:56:15.000-03:00
diff --git a/src/vm_builtins.c b/src/vm_builtins.c
@@ -4375,11 +4375,10 @@ static RValue builtinActionIfVariable(VMContext* ctx, MAYBE_UNUSED RValue* args,
         }
     }
 
-    if (check) {
-        return args[1];
-    } else {
-        return args[2];
-    }
+    int32_t idx = check ? 1 : 2;
+    RValue result = args[idx];
+    args[idx].ownsString = false; // Steal ownership to avoid double-free in handleCall
+    return result;
 }
 
 STUB_RETURN_UNDEFINED(action_sound)

Original file line number	Diff line number	Diff line change
`@@ -4375,11 +4375,10 @@ static RValue builtinActionIfVariable(VMContext* ctx, MAYBE_UNUSED RValue* args,`
`4375`	`4375`	`}`
`4376`	`4376`	`}`
`4377`	`4377`
`4378`		`- if (check) {`
`4379`		`- return args[1];`
`4380`		`- } else {`
`4381`		`- return args[2];`
`4382`		`- }`
	`4378`	`+ int32_t idx = check ? 1 : 2;`
	`4379`	`+ RValue result = args[idx];`
	`4380`	`+ args[idx].ownsString = false; // Steal ownership to avoid double-free in handleCall`
	`4381`	`+ return result;`
`4383`	`4382`	`}`
`4384`	`4383`
`4385`	`4384`	`STUB_RETURN_UNDEFINED(action_sound)`