[Bf-blender-cvs] [7f23c914781] master: LibOverride: Fix use-after-free error when freeing whole Main DB.

Bastien Montagne noreply at git.blender.org
Thu Aug 29 14:51:18 CEST 2019 

Commit: 7f23c914781268977b464a3c0dcba2f89e01dc36
Author: Bastien Montagne
Date:   Thu Aug 29 14:49:54 2019 +0200
Branches: master
https://developer.blender.org/rB7f23c914781268977b464a3c0dcba2f89e01dc36

LibOverride: Fix use-after-free error when freeing whole Main DB.

We do not want to touch to other ID pointers in that case, those might
have already been freed...

===================================================================

M	source/blender/blenkernel/BKE_library_override.h
M	source/blender/blenkernel/intern/library_override.c
M	source/blender/blenkernel/intern/library_remap.c
M	source/blender/editors/interface/interface_templates.c

===================================================================

diff --git a/source/blender/blenkernel/BKE_library_override.h b/source/blender/blenkernel/BKE_library_override.h
index 5440b0ebe63..93b2355ce55 100644
--- a/source/blender/blenkernel/BKE_library_override.h
+++ b/source/blender/blenkernel/BKE_library_override.h
@@ -35,8 +35,8 @@ bool BKE_override_library_is_enabled(void);
 
 struct IDOverrideLibrary *BKE_override_library_init(struct ID *local_id, struct ID *reference_id);
 void BKE_override_library_copy(struct ID *dst_id, const struct ID *src_id);
-void BKE_override_library_clear(struct IDOverrideLibrary *override);
-void BKE_override_library_free(struct IDOverrideLibrary **override);
+void BKE_override_library_clear(struct IDOverrideLibrary *override, const bool do_id_user);
+void BKE_override_library_free(struct IDOverrideLibrary **override, const bool do_id_user);
 
 struct ID *BKE_override_library_create_from_id(struct Main *bmain, struct ID *reference_id);
 bool BKE_override_library_create_from_tag(struct Main *bmain);
diff --git a/source/blender/blenkernel/intern/library_override.c b/source/blender/blenkernel/intern/library_override.c
index ce368575492..ba482359607 100644
--- a/source/blender/blenkernel/intern/library_override.c
+++ b/source/blender/blenkernel/intern/library_override.c
@@ -111,11 +111,11 @@ void BKE_override_library_copy(ID *dst_id, const ID *src_id)
 
   if (dst_id->override_library != NULL) {
     if (src_id->override_library == NULL) {
-      BKE_override_library_free(&dst_id->override_library);
+      BKE_override_library_free(&dst_id->override_library, true);
       return;
     }
     else {
-      BKE_override_library_clear(dst_id->override_library);
+      BKE_override_library_clear(dst_id->override_library, true);
     }
   }
   else if (src_id->override_library == NULL) {
@@ -144,7 +144,7 @@ void BKE_override_library_copy(ID *dst_id, const ID *src_id)
 }
 
 /** Clear any overriding data from given \a override. */
-void BKE_override_library_clear(IDOverrideLibrary *override)
+void BKE_override_library_clear(IDOverrideLibrary *override, const bool do_id_user)
 {
   BLI_assert(override != NULL);
 
@@ -153,16 +153,18 @@ void BKE_override_library_clear(IDOverrideLibrary *override)
   }
   BLI_freelistN(&override->properties);
 
-  id_us_min(override->reference);
-  /* override->storage should never be refcounted... */
+  if (do_id_user) {
+    id_us_min(override->reference);
+    /* override->storage should never be refcounted... */
+  }
 }
 
 /** Free given \a override. */
-void BKE_override_library_free(struct IDOverrideLibrary **override)
+void BKE_override_library_free(struct IDOverrideLibrary **override, const bool do_id_user)
 {
   BLI_assert(*override != NULL);
 
-  BKE_override_library_clear(*override);
+  BKE_override_library_clear(*override, do_id_user);
   MEM_freeN(*override);
   *override = NULL;
 }
diff --git a/source/blender/blenkernel/intern/library_remap.c b/source/blender/blenkernel/intern/library_remap.c
index 8fe2552c03f..04ea540fac9 100644
--- a/source/blender/blenkernel/intern/library_remap.c
+++ b/source/blender/blenkernel/intern/library_remap.c
@@ -757,7 +757,7 @@ void BKE_libblock_free_data(ID *id, const bool do_id_user)
   }
 
   if (id->override_library) {
-    BKE_override_library_free(&id->override_library);
+    BKE_override_library_free(&id->override_library, do_id_user);
   }
 
   /* XXX TODO remove animdata handling from each type's freeing func,
diff --git a/source/blender/editors/interface/interface_templates.c b/source/blender/editors/interface/interface_templates.c
index fc2c606dfc8..e2f6355e0f5 100644
--- a/source/blender/editors/interface/interface_templates.c
+++ b/source/blender/editors/interface/interface_templates.c
@@ -538,7 +538,7 @@ static void template_id_cb(bContext *C, void *arg_litem, void *arg_event)
       break;
     case UI_ID_OVERRIDE:
       if (id && id->override_library) {
-        BKE_override_library_free(&id->override_library);
+        BKE_override_library_free(&id->override_library, true);
         /* reassign to get get proper updates/notifiers */
         idptr = RNA_property_pointer_get(&template_ui->ptr, template_ui->prop);
         RNA_property_pointer_set(&template_ui->ptr, template_ui->prop, idptr, NULL);

More information about the Bf-blender-cvs mailing list