Engine: Fix use after free when using removed clone threads

adazem009 · adazem009 · commit d25e968908b0 · 2025-03-05T11:03:18.000+01:00
All threads are copied to m_threadsToStop, including clone threads that are removed later which can lead to use after free when the threadAboutToStop signal is emitted for these threads.
diff --git a/src/engine/internal/engine.cpp b/src/engine/internal/engine.cpp
@@ -321,31 +321,34 @@ void Engine::stop()
     // https://github.com/scratchfoundation/scratch-vm/blob/f1aa92fad79af17d9dd1c41eeeadca099339a9f1/src/engine/runtime.js#L2057-L2081
     if (m_activeThread) {
         stopThread(m_activeThread.get());
-        // NOTE: The project should continue running even after "stop all" is called and the remaining threads should be stepped once.
-        // The remaining threads can even start new threads which will ignore the "stop all" call and will "restart" the project.
-        // This is probably a bug in the Scratch VM, but let's keep it here to keep it compatible.
-        m_threadsToStop = m_threads;
 
         // Remove threads owned by clones because clones are going to be deleted (#547)
         m_threads.erase(
             std::remove_if(
                 m_threads.begin(),
                 m_threads.end(),
-                [](std::shared_ptr<Thread> thread) {
+                [this](std::shared_ptr<Thread> thread) {
                     assert(thread);
                     Target *target = thread->target();
                     assert(target);
 
                     if (!target->isStage()) {
                         Sprite *sprite = static_cast<Sprite *>(target);
 
-                        if (sprite->isClone())
+                        if (sprite->isClone()) {
+                            m_threadAboutToStop(thread.get());
                             return true;
+                        }
                     }
 
                     return false;
                 }),
             m_threads.end());
+
+        // NOTE: The project should continue running even after "stop all" is called and the remaining threads should be stepped once.
+        // The remaining threads can even start new threads which will ignore the "stop all" call and will "restart" the project.
+        // This is probably a bug in the Scratch VM, but let's keep it here to keep it compatible.
+        m_threadsToStop = m_threads;
     } else {
         // If there isn't any active thread, it means the project was stopped from the outside
         // In this case all threads should be removed and the project should be considered stopped
