[Bf-blender-cvs] [4389067929d] master: Fix possible use-after-free in drag-drop handling logic
Julian Eisel
noreply at git.blender.org
Thu Sep 30 16:39:33 CEST 2021
Commit: 4389067929d9a57923b7a85ec29b8ca9633fef29
Author: Julian Eisel
Date: Thu Sep 30 16:33:25 2021 +0200
Branches: master
https://developer.blender.org/rB4389067929d9a57923b7a85ec29b8ca9633fef29
Fix possible use-after-free in drag-drop handling logic
Would happen when there were multiple drag items in parallel. There was
a listbase constructed with twice the same item, even though that item
would be deleted after it was handled the first time.
===================================================================
M source/blender/windowmanager/intern/wm_event_system.c
===================================================================
diff --git a/source/blender/windowmanager/intern/wm_event_system.c b/source/blender/windowmanager/intern/wm_event_system.c
index 14fcc1d69cc..537d5264ba9 100644
--- a/source/blender/windowmanager/intern/wm_event_system.c
+++ b/source/blender/windowmanager/intern/wm_event_system.c
@@ -3025,7 +3025,7 @@ static int wm_handlers_do_intern(bContext *C, wmEvent *event, ListBase *handlers
/* Other drop custom types allowed. */
if (event->custom == EVT_DATA_DRAGDROP) {
ListBase *lb = (ListBase *)event->customdata;
- LISTBASE_FOREACH (wmDrag *, drag, lb) {
+ LISTBASE_FOREACH_MUTABLE (wmDrag *, drag, lb) {
if (drop->poll(C, drag, event)) {
/* Optionally copy drag information to operator properties. Don't call it if the
* operator fails anyway, it might do more than just set properties (e.g.
@@ -3036,7 +3036,8 @@ static int wm_handlers_do_intern(bContext *C, wmEvent *event, ListBase *handlers
/* Pass single matched wmDrag onto the operator. */
BLI_remlink(lb, drag);
- ListBase single_lb = {drag, drag};
+ ListBase single_lb = {0};
+ BLI_addtail(&single_lb, drag);
event->customdata = &single_lb;
int op_retval = wm_operator_call_internal(
More information about the Bf-blender-cvs
mailing list