From e05a74184040451f59b634b9005284768b7e05c7 Mon Sep 17 00:00:00 2001
From: foxtacles <mail@csemmler.com>
Date: Sun, 5 Apr 2026 13:26:37 -0700
Subject: [PATCH] Fix use-after-free in LegoCharacterManager::ReleaseActor
 (#214) (#793)

Null out the actor's ROI pointer before deletion to prevent its
destructor from dereferencing the already-freed ROI.
---
 LEGO1/lego/legoomni/src/common/legocharactermanager.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/LEGO1/lego/legoomni/src/common/legocharactermanager.cpp b/LEGO1/lego/legoomni/src/common/legocharactermanager.cpp
index aa9facbe..de1038b1 100644
--- a/LEGO1/lego/legoomni/src/common/legocharactermanager.cpp
+++ b/LEGO1/lego/legoomni/src/common/legocharactermanager.cpp
@@ -358,6 +358,7 @@ void LegoCharacterManager::ReleaseActor(const char* p_name)
 
 			if (info != NULL) {
 				if (info->m_actor != NULL) {
+					info->m_actor->SetROI(NULL, FALSE, FALSE);
 					info->m_actor->ClearFlag(LegoEntity::c_managerOwned);
 					delete info->m_actor;
 				}
@@ -400,6 +401,7 @@ void LegoCharacterManager::ReleaseActor(LegoROI* p_roi)
 
 				if (info != NULL) {
 					if (info->m_actor != NULL) {
+						info->m_actor->SetROI(NULL, FALSE, FALSE);
 						info->m_actor->ClearFlag(LegoEntity::c_managerOwned);
 						delete info->m_actor;
 					}