[Bf-blender-cvs] [174f39bd039] blender-v2.93-release: Fix T89265: Crash when tabbing through num inputs

Falk David noreply at git.blender.org
Wed Jun 30 09:30:18 CEST 2021 

Commit: 174f39bd039350737cb84fb21b4dd2264c381a21
Author: Falk David
Date:   Wed Jun 23 14:56:36 2021 +1000
Branches: blender-v2.93-release
https://developer.blender.org/rB174f39bd039350737cb84fb21b4dd2264c381a21

Fix T89265: Crash when tabbing through num inputs

Fix by reverting the part of ec30cf0b742f5181c4de91b474ca01d6a809c593
that assigned `but->editval` in `ui_numedit_begin_set_values`.

Causing access freed memory when using tab to switch
to a numeric input and then leaving the textbox by clicking outside.
This was because `ui_numedit_begin_set_values` shouldn't need to set
`but->editval` and overwrite the pointer.
This would set a pointer that had previously been freed,
causing a `NULL` check to fail later on.

Ref D11679

===================================================================

M	source/blender/editors/interface/interface_handlers.c

===================================================================

diff --git a/source/blender/editors/interface/interface_handlers.c b/source/blender/editors/interface/interface_handlers.c
index a5a5a69728e..3f0a7074dfc 100644
--- a/source/blender/editors/interface/interface_handlers.c
+++ b/source/blender/editors/interface/interface_handlers.c
@@ -3890,6 +3890,13 @@ static void ui_do_but_textedit_select(
 /** \name Button Number Editing (various types)
  * \{ */
 
+static void ui_numedit_begin_set_values(uiBut *but, uiHandleButtonData *data)
+{
+  data->startvalue = ui_but_value_get(but);
+  data->origvalue = data->startvalue;
+  data->value = data->origvalue;
+}
+
 static void ui_numedit_begin(uiBut *but, uiHandleButtonData *data)
 {
   if (but->type == UI_BTYPE_CURVE) {
@@ -3915,16 +3922,12 @@ static void ui_numedit_begin(uiBut *but, uiHandleButtonData *data)
     but->editvec = data->vec;
   }
   else {
-    float softrange, softmin, softmax;
-
-    data->startvalue = ui_but_value_get(but);
-    data->origvalue = data->startvalue;
-    data->value = data->origvalue;
+    ui_numedit_begin_set_values(but, data);
     but->editval = &data->value;
 
-    softmin = but->softmin;
-    softmax = but->softmax;
-    softrange = softmax - softmin;
+    float softmin = but->softmin;
+    float softmax = but->softmax;
+    float softrange = softmax - softmin;
 
     if ((but->type == UI_BTYPE_NUM) && (ui_but_is_cursor_warp(but) == false)) {
       uiButNumber *number_but = (uiButNumber *)but;

More information about the Bf-blender-cvs mailing list