From 82307e319e7fe84a99c427888d1a64e0c8e8cf47 Mon Sep 17 00:00:00 2001
From: sogladev <sogladev@gmail.com>
Date: Wed, 4 Mar 2026 06:06:43 +0100
Subject: [PATCH] fix(Core/Movement): use-after-free using
 DontCacheRandomMovementPaths (#24935)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../MovementGenerators/RandomMovementGenerator.cpp        | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/server/game/Movement/MovementGenerators/RandomMovementGenerator.cpp b/src/server/game/Movement/MovementGenerators/RandomMovementGenerator.cpp
index 56109087f..996544943 100644
--- a/src/server/game/Movement/MovementGenerators/RandomMovementGenerator.cpp
+++ b/src/server/game/Movement/MovementGenerators/RandomMovementGenerator.cpp
@@ -211,7 +211,8 @@ void RandomMovementGenerator<Creature>::_setRandomLocation(Creature* creature)
     }
 
     _currentPoint = newPoint;
-    G3D::Vector3& finalPoint = finalPath[finalPath.size() - 1];
+    ASSERT(!finalPath.empty());
+    G3D::Vector3 finalPoint = finalPath.back();
     _currDestPosition.Relocate(finalPoint.x, finalPoint.y, finalPoint.z);
 
     creature->AddUnitState(UNIT_STATE_ROAMING_MOVE);
@@ -239,12 +240,13 @@ void RandomMovementGenerator<Creature>::_setRandomLocation(Creature* creature)
         _moveCount = 0;
         _nextMoveTime.Reset(urand(4000, 8000));
     }
-    if (sWorld->getBoolConfig(CONFIG_DONT_CACHE_RANDOM_MOVEMENT_PATHS))
-        _preComputedPaths.erase(pathIdx);
 
     //Call for creature group update
     if (creature->GetFormation() && creature->GetFormation()->GetLeader() == creature)
         creature->GetFormation()->LeaderMoveTo(finalPoint.x, finalPoint.y, finalPoint.z, 0);
+
+    if (sWorld->getBoolConfig(CONFIG_DONT_CACHE_RANDOM_MOVEMENT_PATHS))
+        _preComputedPaths.erase(pathIdx);
 }
 
 template<>