[Bf-blender-cvs] [48014fbf143] master: Fix (unreported) use-after-free case in Properties Editor ID remapping code.
Bastien Montagne
noreply at git.blender.org
Tue Apr 12 18:48:44 CEST 2022
Commit: 48014fbf1432de2ad74ef76280673062d9870af7
Author: Bastien Montagne
Date: Tue Apr 12 18:11:08 2022 +0200
Branches: master
https://developer.blender.org/rB48014fbf1432de2ad74ef76280673062d9870af7
Fix (unreported) use-after-free case in Properties Editor ID remapping code.
Regression in rBa21bca0e20a051, found while investigating T97069.
===================================================================
M source/blender/editors/space_buttons/space_buttons.c
===================================================================
diff --git a/source/blender/editors/space_buttons/space_buttons.c b/source/blender/editors/space_buttons/space_buttons.c
index 1ec6832c6c3..1d0061ab7d8 100644
--- a/source/blender/editors/space_buttons/space_buttons.c
+++ b/source/blender/editors/space_buttons/space_buttons.c
@@ -861,12 +861,11 @@ static void buttons_id_remap(ScrArea *UNUSED(area),
for (int i = 0; i < path->len; i++) {
switch (BKE_id_remapper_apply(mappings, &path->ptr[i].owner_id, ID_REMAP_APPLY_DEFAULT)) {
case ID_REMAP_RESULT_SOURCE_UNASSIGNED: {
- if (i == 0) {
- MEM_SAFE_FREE(sbuts->path);
- }
- else {
+ path->len = i;
+ if (i != 0) {
+ /* If the first item in the path is cleared, the whole path is cleared, so no need to
+ * clear further items here, see also at the end of this block. */
memset(&path->ptr[i], 0, sizeof(path->ptr[i]) * (path->len - i));
- path->len = i;
}
break;
}
@@ -887,6 +886,9 @@ static void buttons_id_remap(ScrArea *UNUSED(area),
}
}
}
+ if (path->len == 0) {
+ MEM_SAFE_FREE(sbuts->path);
+ }
}
if (sbuts->texuser) {
More information about the Bf-blender-cvs
mailing list