[Bf-blender-cvs] [d16897eb2ec] vr_scene_inspection: Fix use-after-free when opening file with VR session running

Julian Eisel noreply at git.blender.org
Mon Mar 16 18:11:12 CET 2020 

Commit: d16897eb2ec0764e409bfbe96dfbf843c2e698b2
Author: Julian Eisel
Date:   Mon Mar 16 18:10:34 2020 +0100
Branches: vr_scene_inspection
https://developer.blender.org/rBd16897eb2ec0764e409bfbe96dfbf843c2e698b2

Fix use-after-free when opening file with VR session running

===================================================================

M	source/blender/windowmanager/intern/wm_operators.c
M	source/blender/windowmanager/intern/wm_xr.c
M	source/blender/windowmanager/wm.h

===================================================================

diff --git a/source/blender/windowmanager/intern/wm_operators.c b/source/blender/windowmanager/intern/wm_operators.c
index a3093c3e241..450fcdf38e7 100644
--- a/source/blender/windowmanager/intern/wm_operators.c
+++ b/source/blender/windowmanager/intern/wm_operators.c
@@ -3666,9 +3666,10 @@ static void wm_xr_session_update_mirror_views(Main *bmain, const wmXrData *xr_da
   }
 }
 
-static void wm_xr_session_exit_cb(const wmXrData *xr_data, void *customdata)
+static void wm_xr_session_update_mirror_views_cb(const wmXrData *xr_data)
 {
-  wm_xr_session_update_mirror_views(customdata, xr_data);
+  /* Just use G_MAIN here, storing main isn't reliable enough on file read or exit. */
+  wm_xr_session_update_mirror_views(G_MAIN, xr_data);
 }
 
 static int wm_xr_session_toggle_exec(bContext *C, wmOperator *UNUSED(op))
@@ -3681,7 +3682,7 @@ static int wm_xr_session_toggle_exec(bContext *C, wmOperator *UNUSED(op))
     return OPERATOR_CANCELLED;
   }
 
-  wm_xr_session_toggle(wm, wm_xr_session_exit_cb, bmain);
+  wm_xr_session_toggle(wm, wm_xr_session_update_mirror_views_cb);
   wm_xr_session_update_mirror_views(bmain, &wm->xr);
 
   WM_event_add_notifier(C, NC_WM | ND_XR_DATA_CHANGED, NULL);
diff --git a/source/blender/windowmanager/intern/wm_xr.c b/source/blender/windowmanager/intern/wm_xr.c
index d39e9b7a0b1..7a1e406a247 100644
--- a/source/blender/windowmanager/intern/wm_xr.c
+++ b/source/blender/windowmanager/intern/wm_xr.c
@@ -98,7 +98,6 @@ typedef struct wmXrRuntimeData {
   /* Although this struct is internal, RNA gets a handle to this for state information queries. */
   wmXrSessionState session_state;
   wmXrSessionExitFn exit_fn;
-  void *exit_customdata;
 } wmXrRuntimeData;
 
 typedef struct wmXrDrawData {
@@ -441,7 +440,7 @@ static void wm_xr_session_exit_cb(void *customdata)
 
   xr_data->runtime->session_state.is_started = false;
   if (xr_data->runtime->exit_fn) {
-    xr_data->runtime->exit_fn(xr_data, xr_data->runtime->exit_customdata);
+    xr_data->runtime->exit_fn(xr_data);
   }
 
   /* Free the entire runtime data (including session state and context), to play safe. */
@@ -457,9 +456,7 @@ static void wm_xr_session_begin_info_create(wmXrData *xr_data,
   r_begin_info->exit_customdata = xr_data;
 }
 
-void wm_xr_session_toggle(wmWindowManager *wm,
-                          wmXrSessionExitFn session_exit_fn,
-                          void *session_exit_customdata)
+void wm_xr_session_toggle(wmWindowManager *wm, wmXrSessionExitFn session_exit_fn)
 {
   wmXrData *xr_data = &wm->xr;
 
@@ -471,7 +468,6 @@ void wm_xr_session_toggle(wmWindowManager *wm,
 
     xr_data->runtime->session_state.is_started = true;
     xr_data->runtime->exit_fn = session_exit_fn;
-    xr_data->runtime->exit_customdata = session_exit_customdata;
 
     wm_xr_session_begin_info_create(xr_data, &begin_info);
     GHOST_XrSessionStart(xr_data->runtime->context, &begin_info);
diff --git a/source/blender/windowmanager/wm.h b/source/blender/windowmanager/wm.h
index 47aa68aee96..22c01df5d3b 100644
--- a/source/blender/windowmanager/wm.h
+++ b/source/blender/windowmanager/wm.h
@@ -99,14 +99,12 @@ void wm_open_init_load_ui(wmOperator *op, bool use_prefs);
 void wm_open_init_use_scripts(wmOperator *op, bool use_prefs);
 
 #ifdef WITH_XR_OPENXR
-typedef void (*wmXrSessionExitFn)(const wmXrData *xr_data, void *customdata);
+typedef void (*wmXrSessionExitFn)(const wmXrData *xr_data);
 
 /* wm_xr.c */
 bool wm_xr_init(wmWindowManager *wm);
 void wm_xr_exit(wmWindowManager *wm);
-void wm_xr_session_toggle(wmWindowManager *wm,
-                          wmXrSessionExitFn session_exit_fn,
-                          void *session_exit_customdata);
+void wm_xr_session_toggle(wmWindowManager *wm, wmXrSessionExitFn session_exit_fn);
 bool wm_xr_events_handle(wmWindowManager *wm);
 #endif

More information about the Bf-blender-cvs mailing list