From c3e11b4283cb3f12c78bdc62aecd3cf2d3be2d02 Mon Sep 17 00:00:00 2001
From: Kawe Mazidjatari <48657826+Mauler125@users.noreply.github.com>
Date: Sun, 8 Oct 2023 16:37:10 +0200
Subject: [PATCH] Pylon: fix use after free

The member must contain a copy of the string, pointing it to the buffer used by the language cvar results in undefined behavior. Several cases were the string pointed to random data were reported.
---
 src/networksystem/pylon.cpp | 3 +--
 src/networksystem/pylon.h   | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/networksystem/pylon.cpp b/src/networksystem/pylon.cpp
index 6a9892c7..ea7eda32 100644
--- a/src/networksystem/pylon.cpp
+++ b/src/networksystem/pylon.cpp
@@ -390,8 +390,7 @@ bool CPylon::QueryServer(const char* endpoint, const char* request,
 
     string finalUrl;
     CURLFormatUrl(finalUrl, hostName, endpoint);
-
-    finalUrl += Format("?language=%s", this->m_Language);
+    finalUrl += Format("?language=%s", this->m_Language.c_str());
 
     CURLParams params;
 
diff --git a/src/networksystem/pylon.h b/src/networksystem/pylon.h
index ec6b40f7..cd4d4e55 100644
--- a/src/networksystem/pylon.h
+++ b/src/networksystem/pylon.h
@@ -34,6 +34,6 @@ public:
 private:
 	string m_Token;
 	string m_ErrorMsg;
-	const char* m_Language;
+	string m_Language;
 };
 extern CPylon* g_pMasterServer;