[Bf-blender-cvs] [d4e8390e95d] master: Fix T92153: use-after-free with anonymous attributes

Wed Oct 13 15:39:16 CEST 2021

Commit: d4e8390e95d9663a32012dcc39a9bbe08330e75b
Author: Jacques Lucke
Date:   Wed Oct 13 15:36:52 2021 +0200
Branches: master
https://developer.blender.org/rBd4e8390e95d9663a32012dcc39a9bbe08330e75b

Fix T92153: use-after-free with anonymous attributes

Differential Revision: https://developer.blender.org/D12851

===================================================================

M	source/blender/blenkernel/intern/anonymous_attribute.cc
M	source/blender/blenkernel/intern/customdata.c

===================================================================

diff --git a/source/blender/blenkernel/intern/anonymous_attribute.cc b/source/blender/blenkernel/intern/anonymous_attribute.cc
index 67611053d83..22c2f83e8be 100644
--- a/source/blender/blenkernel/intern/anonymous_attribute.cc
+++ b/source/blender/blenkernel/intern/anonymous_attribute.cc
@@ -97,6 +97,7 @@ void BKE_anonymous_attribute_id_decrement_weak(const AnonymousAttributeID *anony
 {
   const int new_refcount = anonymous_id->refcount_tot.fetch_sub(1) - 1;
   if (new_refcount == 0) {
+    BLI_assert(anonymous_id->refcount_strong == 0);
     delete anonymous_id;
   }
 }
diff --git a/source/blender/blenkernel/intern/customdata.c b/source/blender/blenkernel/intern/customdata.c
index 3bb02e1856b..d86b8163ebc 100644
--- a/source/blender/blenkernel/intern/customdata.c
+++ b/source/blender/blenkernel/intern/customdata.c
@@ -2595,6 +2595,11 @@ static CustomDataLayer *customData_add_layer__internal(CustomData *data,
     data->layers[index] = data->layers[index - 1];
   }
 
+  /* Clear remaining data on the layer. The original data on the layer has been moved to another
+   * index. Without this, it can happen that information from the previous layer at that index
+   * leaks into the new layer. */
+  memset(data->layers + index, 0, sizeof(CustomDataLayer));
+
   data->layers[index].type = type;
   data->layers[index].flag = flag;
   data->layers[index].data = newlayerdata;

