[Bf-blender-cvs] [b00822e] blender-v2.77-release: Fix T47644: crash (use-after-free) regression from rB7a74738914a66e.
Bastien Montagne
noreply at git.blender.org
Fri Mar 4 17:36:07 CET 2016
Commit: b00822e42dc822b90ccb7c44ca263af294f68944
Author: Bastien Montagne
Date: Thu Mar 3 14:44:05 2016 +0100
Branches: blender-v2.77-release
https://developer.blender.org/rBb00822e42dc822b90ccb7c44ca263af294f68944
Fix T47644: crash (use-after-free) regression from rB7a74738914a66e.
Handling `me` data here is not good idea anyway, we override it completly with data
from `tmp` (crash came from freeing already existing bb from me, while pointer still existed in tmp).
(rediscovered it while working on T47676...).
To be backported to 2.77.
===================================================================
M source/blender/blenkernel/intern/DerivedMesh.c
===================================================================
diff --git a/source/blender/blenkernel/intern/DerivedMesh.c b/source/blender/blenkernel/intern/DerivedMesh.c
index fa9875e..423e897 100644
--- a/source/blender/blenkernel/intern/DerivedMesh.c
+++ b/source/blender/blenkernel/intern/DerivedMesh.c
@@ -808,13 +808,12 @@ void DM_to_mesh(DerivedMesh *dm, Mesh *me, Object *ob, CustomDataMask mask, bool
}
/* Clear selection history */
- tmp.mselect = NULL;
+ MEM_SAFE_FREE(tmp.mselect);
tmp.totselect = 0;
- if (me->mselect) {
- MEM_freeN(me->mselect);
- }
+ BLI_assert(ELEM(tmp.bb, NULL, me->bb));
if (me->bb) {
MEM_freeN(me->bb);
+ tmp.bb = NULL;
}
/* skip the listbase */
More information about the Bf-blender-cvs
mailing list