[DH] Fix pick_up_fragment crash on Vengeance with multiple threads

taherbert · taherbert · commit 50ff7d3a56e4 · 2026-03-14T10:19:57.000-07:00
consume_soul_fragments() deletes fragments via remove() but didn't
cancel a pending pick_up_fragment event that may hold a pointer to
one of them. The event then dereferences freed memory.

consume_nearby_soul_fragments() already cancels the event correctly;
this brings consume_soul_fragments() in line.
diff --git a/engine/class_modules/sc_demon_hunter.cpp b/engine/class_modules/sc_demon_hunter.cpp
@@ -12104,6 +12104,10 @@ unsigned demon_hunter_t::consume_soul_fragments( soul_fragment type, bool instan
     }
   }
 
+  // Cancel any pending pick_up_fragment event since consume() below will
+  // delete the fragment it may be referencing, causing a use-after-free.
+  event_t::cancel( soul_fragment_pick_up );
+
   for ( auto& it : candidates )
   {
     it->consume( instant );

Original file line number	Diff line number	Diff line change
`@@ -12104,6 +12104,10 @@ unsigned demon_hunter_t::consume_soul_fragments( soul_fragment type, bool instan`
`12104`	`12104`	`}`
`12105`	`12105`	`}`
`12106`	`12106`
	`12107`	`+ // Cancel any pending pick_up_fragment event since consume() below will`
	`12108`	`+ // delete the fragment it may be referencing, causing a use-after-free.`
	`12109`	`+ event_t::cancel( soul_fragment_pick_up );`
	`12110`	`+`
`12107`	`12111`	`for ( auto& it : candidates )`
`12108`	`12112`	`{`
`12109`	`12113`	`it->consume( instant );`