[Bf-blender-cvs] [102631486b4] master: Fix potential invalid memory access in surface force field BVH tree.

[Andrew Williams]

Commit: 102631486b480d98c2d9b921a95472688bba8416
Author: Andrew Williams
Date:   Tue Jan 22 12:51:14 2019 +0100
Branches: master
https://developer.blender.org/rB102631486b480d98c2d9b921a95472688bba8416

Fix potential invalid memory access in surface force field BVH tree.

Free the BVH tree immediately along with the mesh, otherwise we might access
invalid mesh data.

Differential Revision: https://developer.blender.org/D4201

===================================================================

M	source/blender/blenkernel/intern/bvhutils.c
M	source/blender/blenlib/intern/BLI_kdopbvh.c
M	source/blender/modifiers/intern/MOD_surface.c

===================================================================

diff --git a/source/blender/blenkernel/intern/bvhutils.c b/source/blender/blenkernel/intern/bvhutils.c
index c264eb8a1d2..644672c52fc 100644
--- a/source/blender/blenkernel/intern/bvhutils.c
+++ b/source/blender/blenkernel/intern/bvhutils.c
@@ -1112,6 +1112,8 @@ BVHTree *BKE_bvhtree_from_mesh_get(
 			data_cp.vert = mesh->mvert;
 
 			if (data_cp.cached == false) {
+				/* TODO: a global mutex lock held during the expensive operation of
+				 * building the BVH tree is really bad for performance. */
 				BLI_rw_mutex_lock(&cache_rwlock, THREAD_LOCK_WRITE);
 				data_cp.cached = bvhcache_find(
 				        mesh->runtime.bvh_cache, type, &data_cp.tree);
diff --git a/source/blender/blenlib/intern/BLI_kdopbvh.c b/source/blender/blenlib/intern/BLI_kdopbvh.c
index d497c7a83ab..2819c1c5943 100644
--- a/source/blender/blenlib/intern/BLI_kdopbvh.c
+++ b/source/blender/blenlib/intern/BLI_kdopbvh.c
@@ -908,23 +908,17 @@ BVHTree *BLI_bvhtree_new(int maxsize, float epsilon, char tree_type, char axis)
 
 
 fail:
-	MEM_SAFE_FREE(tree->nodes);
-	MEM_SAFE_FREE(tree->nodebv);
-	MEM_SAFE_FREE(tree->nodechild);
-	MEM_SAFE_FREE(tree->nodearray);
-
-	MEM_freeN(tree);
-
+	BLI_bvhtree_free(tree);
 	return NULL;
 }
 
 void BLI_bvhtree_free(BVHTree *tree)
 {
 	if (tree) {
-		MEM_freeN(tree->nodes);
-		MEM_freeN(tree->nodearray);
-		MEM_freeN(tree->nodebv);
-		MEM_freeN(tree->nodechild);
+		MEM_SAFE_FREE(tree->nodes);
+		MEM_SAFE_FREE(tree->nodearray);
+		MEM_SAFE_FREE(tree->nodebv);
+		MEM_SAFE_FREE(tree->nodechild);
 		MEM_freeN(tree);
 	}
 }
diff --git a/source/blender/modifiers/intern/MOD_surface.c b/source/blender/modifiers/intern/MOD_surface.c
index c5fa510f2e0..a7198b5721e 100644
--- a/source/blender/modifiers/intern/MOD_surface.c
+++ b/source/blender/modifiers/intern/MOD_surface.c
@@ -96,8 +96,15 @@ static void deformVerts(
 	SurfaceModifierData *surmd = (SurfaceModifierData *) md;
 	const int cfra = (int)DEG_get_ctime(ctx->depsgraph);
 
+	/* Free mesh and BVH cache. */
+	if (surmd->bvhtree) {
+		free_bvhtree_from_mesh(surmd->bvhtree);
+		MEM_SAFE_FREE(surmd->bvhtree);
+	}
+
 	if (surmd->mesh) {
 		BKE_id_free(NULL, surmd->mesh);
+		surmd->mesh = NULL;
 	}
 
 	if (mesh) {
@@ -168,10 +175,7 @@ static void deformVerts(
 
 		surmd->cfra = cfra;
 
-		if (surmd->bvhtree)
-			free_bvhtree_from_mesh(surmd->bvhtree);
-		else
-			surmd->bvhtree = MEM_callocN(sizeof(BVHTreeFromMesh), "BVHTreeFromMesh");
+		surmd->bvhtree = MEM_callocN(sizeof(BVHTreeFromMesh), "BVHTreeFromMesh");
 
 		if (surmd->mesh->totpoly)
 			BKE_bvhtree_from_mesh_get(surmd->bvhtree, surmd->mesh, BVHTREE_FROM_LOOPTRI, 2);