Fix use-after-free in Browse Field handler

[diath]

Transforming an item placed on a Tile with Browse Field open on that tile will call Tile::updateThing, which will subsequently call Tile::onUpdateTileItem, which then ensures that the Browse Field's Container is in sync with the Tile, however, Tile::updateThing passes the same Item pointer as both the oldItem and newItem arguments to Tile::onUpdateTileItem which only coincidentally works for the majority of items whose flags do not happen to transition between being movable and not being movable. If you transform a movable item to a non-movable item, the second branch of the Browse Field handling in Tile::onUpdateTileItem will never execute, leaving the Item that has now been deleted in the Browse Field Container's itemlist member, any further interaction with the item, or waiting for the Browse Field to expire will then result in use-after-free. This fixes the issue by passing a proper oldItem argument to detect such item state transitions. Unfortunately, this comes at the cost of Item::clone call, I'm not sure if there's a more efficient way to handle this.

[nekiro]

Is this reproducible by any steps or does it happen randomly?
From the explanation I assume it's reproducible with certain conditions meet, would be great if you used template or provide steps to reproduce

[nekiro]

Can't reproduce, steps I tried:

1. Wrote a script that creates item on ground (moveable item - 2110) and after 500ms transformed it into non moveable one (2784) with browse field opened in that position
2. Item was removed from my browse field window and transformed on map
3. Nothing happens when I remove the item, no crashes

Also tried with decay system, made torch decay into non moveable item in 5 seconds, no crash either.
I noticed Tile::onUpdateTileItem and Tile::updateThing is not triggered for this action (the transform).