[Bf-blender-cvs] [c5d3846b102] master: Fix use-after-free error when handling events that close windows

Campbell Barton noreply at git.blender.org
Mon Jul 4 08:31:46 CEST 2022 

Commit: c5d3846b1026f2a60d3fdd6b61570adcb6c2a2cf
Author: Campbell Barton
Date:   Mon Jul 4 16:11:31 2022 +1000
Branches: master
https://developer.blender.org/rBc5d3846b1026f2a60d3fdd6b61570adcb6c2a2cf

Fix use-after-free error when handling events that close windows

Regression in [0] caused operations such as file-load or file-new
from any window besides the first to write into the freed:
`wmWindow.eventstate`.

Resolve by copying the event instead of restoring the region relative
cursor position after modifying it.

[0]: 789b1617f70e07f1c9bcb5253f1233acacbf6c8a

===================================================================

M	source/blender/windowmanager/intern/wm_event_system.cc

===================================================================

diff --git a/source/blender/windowmanager/intern/wm_event_system.cc b/source/blender/windowmanager/intern/wm_event_system.cc
index c282cda4305..0395e8bda7a 100644
--- a/source/blender/windowmanager/intern/wm_event_system.cc
+++ b/source/blender/windowmanager/intern/wm_event_system.cc
@@ -1378,22 +1378,20 @@ static int wm_operator_invoke(bContext *C,
     }
 
     if (op->type->invoke && event) {
-      /* Temporarily write into `mval` (not technically `const` correct) but this is restored. */
-      const int mval_prev[2] = {UNPACK2(event->mval)};
-      wm_region_mouse_co(C, (wmEvent *)event);
+      /* Make a copy of the event as it's `const` and the #wmEvent.mval to be written into. */
+      wmEvent event_temp = *event;
+      wm_region_mouse_co(C, &event_temp);
 
       if (op->type->flag & OPTYPE_UNDO) {
         wm->op_undo_depth++;
       }
 
-      retval = op->type->invoke(C, op, event);
+      retval = op->type->invoke(C, op, &event_temp);
       OPERATOR_RETVAL_CHECK(retval);
 
       if (op->type->flag & OPTYPE_UNDO && CTX_wm_manager(C) == wm) {
         wm->op_undo_depth--;
       }
-
-      copy_v2_v2_int(((wmEvent *)event)->mval, mval_prev);
     }
     else if (op->type->exec) {
       if (op->type->flag & OPTYPE_UNDO) {

More information about the Bf-blender-cvs mailing list