The Creature class destructor loops over the conditions member variable and calls condition->endCondition then deletes the condition object, however, ConditionInvisible::endCondition calls Creature::isInvisible, which subsequently loops over the conditions (which are not erased when being deleted in the destructor), calling condition->getType on an already deleted memory, resulting in UAF. This fixes the issue by first ending all conditions, then deleting them separately (as erasing the elements one-by-one in the Creature destructor does not make much sense).
The
Creatureclass destructor loops over theconditionsmember variable and callscondition->endConditionthendeletes the condition object, however,ConditionInvisible::endConditioncallsCreature::isInvisible, which subsequently loops over theconditions(which are not erased when being deleted in the destructor), callingcondition->getTypeon an already deleted memory, resulting in UAF. This fixes the issue by first ending all conditions, then deleting them separately (as erasing the elements one-by-one in theCreaturedestructor does not make much sense).