[Bf-blender-cvs] [c0fdf165610] master: Fix T94454: Python API curve to mesh use after free without depsgraph

Hans Goudey noreply at git.blender.org
Wed Dec 29 23:53:10 CET 2021 

Commit: c0fdf16561034f85aadae8a513db16144609b821
Author: Hans Goudey
Date:   Wed Dec 29 16:53:02 2021 -0600
Branches: master
https://developer.blender.org/rBc0fdf16561034f85aadae8a513db16144609b821

Fix T94454: Python API curve to mesh use after free without depsgraph

This was caused by a mistake in eb0eb54d9644c5139, which removed
the clearing of the curve edit mode pointers that are set when creating
the temporary data for the conversion. If they are not cleared, the
generic ID free function will also free the edit mode data, which is
wrong when the source curve is in edit mode.

===================================================================

M	source/blender/blenkernel/intern/mesh_convert.cc

===================================================================

diff --git a/source/blender/blenkernel/intern/mesh_convert.cc b/source/blender/blenkernel/intern/mesh_convert.cc
index 43242e3a093..12fa9d16fd1 100644
--- a/source/blender/blenkernel/intern/mesh_convert.cc
+++ b/source/blender/blenkernel/intern/mesh_convert.cc
@@ -901,6 +901,20 @@ static Object *object_for_curve_to_mesh_create(const Object *object)
   return temp_object;
 }
 
+static void object_for_curve_to_mesh_free(Object *temp_object)
+{
+  /* Clear edit mode pointers that were explicitly copied to the temporary curve. */
+  ID *final_object_data = static_cast<ID *>(temp_object->data);
+  if (GS(final_object_data->name) == ID_CU) {
+    Curve &curve = *reinterpret_cast<Curve *>(final_object_data);
+    curve.editfont = nullptr;
+    curve.editnurb = nullptr;
+  }
+
+  BKE_id_free(nullptr, temp_object->data);
+  BKE_id_free(nullptr, temp_object);
+}
+
 /**
  * Populate `object->runtime.curve_cache` which is then used to create the mesh.
  */
@@ -1003,8 +1017,7 @@ static Mesh *mesh_new_from_curve_type_object(const Object *object)
 
   Mesh *mesh = mesh_new_from_evaluated_curve_type_object(temp_object);
 
-  BKE_id_free(nullptr, temp_object->data);
-  BKE_id_free(nullptr, temp_object);
+  object_for_curve_to_mesh_free(temp_object);
 
   return mesh;
 }

More information about the Bf-blender-cvs mailing list