Fix possible use after free in plRegistryPageNode::UnloadKeys

Short explanation: the destructor of plRegistryKeyList may indirectly
access other entries of fKeyLists where the plRegistryKeyList has
already been deleted, but not yet removed from the map.

Long explanation:
* Deleting a plRegistryKeyList also deletes all plKeys inside it, which
  decrements the reference count of the objects they point to.
* If one of the deleted keys happens to be the last reference to an
  object, this also deletes the object itself.
* The object's destructor might in turn delete another plKey, which
  calls SetKeyUnused, which tries to look up the key in its page.
* If this second plKey belongs to the page that is currently being
  unloaded, then its plRegistryKeyList may be partially or completely
  deleted, but still listed in the fKeyLists map. In this case, the key
  lookup accesses already freed memory.

(ported from H-uru/Plasma@a529e35fd940543752fd74efd0fe63039a03c4a6)

Sources/Plasma/PubUtilLib/plResMgr/plRegistryKeyList.cpp

@@ -59,8 +59,10 @@ plRegistryKeyList::~plRegistryKeyList()
 	for (int i = 0; i < fStaticKeys.size(); i++)
 	{
 		plKeyImp* keyImp = fStaticKeys[i];
-		if (!keyImp->ObjectIsLoaded())
+		if (keyImp && !keyImp->ObjectIsLoaded()) {
 			delete keyImp;
+			keyImp = nullptr;
+		}
 	}
 }
 

Sources/Plasma/PubUtilLib/plResMgr/plRegistryNode.cpp

@@ -204,6 +204,7 @@ void plRegistryPageNode::UnloadKeys()
 	{
 		plRegistryKeyList* keyList = it->second;
 		delete keyList;
+		it->second = nullptr;
 	}
 	fKeyLists.clear();