[Bf-blender-cvs] [b47137a] master: Fix T47644: crash (use-after-free) regression from rB7a74738914a66e.
Bastien Montagne
noreply at git.blender.org
Thu Mar 3 15:05:38 CET 2016
Commit: b47137ae46ce1b6573e139b39172722aa033326d
Author: Bastien Montagne
Date: Thu Mar 3 14:44:05 2016 +0100
Branches: master
https://developer.blender.org/rBb47137ae46ce1b6573e139b39172722aa033326d
Fix T47644: crash (use-after-free) regression from rB7a74738914a66e.
Handling `me` data here is not good idea anyway, we override it completly with data
from `tmp` (crash came from freeing already existing bb from me, while pointer still existed in tmp).
(rediscovered it while working on T47676...).
To be backported to 2.77.
===================================================================
M source/blender/blenkernel/intern/DerivedMesh.c
===================================================================
diff --git a/source/blender/blenkernel/intern/DerivedMesh.c b/source/blender/blenkernel/intern/DerivedMesh.c
index 252cee9..3d4c6e8 100644
--- a/source/blender/blenkernel/intern/DerivedMesh.c
+++ b/source/blender/blenkernel/intern/DerivedMesh.c
@@ -808,13 +808,12 @@ void DM_to_mesh(DerivedMesh *dm, Mesh *me, Object *ob, CustomDataMask mask, bool
}
/* Clear selection history */
- tmp.mselect = NULL;
+ MEM_SAFE_FREE(tmp.mselect);
tmp.totselect = 0;
- if (me->mselect) {
- MEM_freeN(me->mselect);
- }
+ BLI_assert(ELEM(tmp.bb, NULL, me->bb));
if (me->bb) {
MEM_freeN(me->bb);
+ tmp.bb = NULL;
}
/* skip the listbase */
More information about the Bf-blender-cvs
mailing list