[Bf-blender-cvs] [3f294a37f57] blender-v3.4-release: Fix: Use after free when removing attribute
Hans Goudey
noreply at git.blender.org
Tue Nov 22 20:49:03 CET 2022
Commit: 3f294a37f5752a6c246251226a24fa8ac831cdcd
Author: Hans Goudey
Date: Tue Nov 22 13:46:50 2022 -0600
Branches: blender-v3.4-release
https://developer.blender.org/rB3f294a37f5752a6c246251226a24fa8ac831cdcd
Fix: Use after free when removing attribute
We currently check multiple dynamic attribute providers for the
attribute ID, even after it has been removed (which can free the name).
This was used as a simple way to remove multiple attributes with the
same name (dealing with name collisions). However, that doesn't happen
in practice at this point, since so much code has moved to the
attribute API which checks for it.
===================================================================
M source/blender/blenkernel/intern/attribute_access_intern.hh
===================================================================
diff --git a/source/blender/blenkernel/intern/attribute_access_intern.hh b/source/blender/blenkernel/intern/attribute_access_intern.hh
index 33d415f1e0e..5ab7c6aadf3 100644
--- a/source/blender/blenkernel/intern/attribute_access_intern.hh
+++ b/source/blender/blenkernel/intern/attribute_access_intern.hh
@@ -469,11 +469,12 @@ inline bool remove(void *owner, const AttributeIDRef &attribute_id)
return provider->try_delete(owner);
}
}
- bool success = false;
for (const DynamicAttributesProvider *provider : providers.dynamic_attribute_providers()) {
- success = provider->try_delete(owner, attribute_id) || success;
+ if (provider->try_delete(owner, attribute_id)) {
+ return true;
+ }
}
- return success;
+ return false;
}
template<const ComponentAttributeProviders &providers>
More information about the Bf-blender-cvs
mailing list