Commit: d7cc907a49b9f637d59f22bb880b3ffaa0d9cb60
Author: Martijn Versteegh
Date: Thu Jan 5 15:39:02 2023 +0100
Branches: refactor-mesh-uv-map-generic
https://developer.blender.org/rBd7cc907a49b9f637d59f22bb880b3ffaa0d9cb60
Fix use-after-free when passing BKE_id_attribute_remove the name owned by the
layer itself
===================================================================
M source/blender/blenkernel/intern/attribute.cc
===================================================================
diff --git a/source/blender/blenkernel/intern/attribute.cc
b/source/blender/blenkernel/intern/attribute.cc
index f03911fbdc0..8b151e81354 100644
--- a/source/blender/blenkernel/intern/attribute.cc
+++ b/source/blender/blenkernel/intern/attribute.cc
@@ -392,11 +392,15 @@ bool BKE_id_attribute_remove(ID *id, const char *name,
ReportList *reports)
BM_data_layer_free_named(em->bm, data,
BKE_uv_map_pin_name_get(name, buffer_src));
}
}
+ /* Because it's possible that name is owned by the layer and will be
freed
+ * when freeing the layer, do these checks before freeing. */
+ const bool is_active_color_attribute = name ==
StringRef(mesh->active_color_attribute);
+ const bool is_default_color_attribute = name ==
StringRef(mesh->default_color_attribute);
if (BM_data_layer_free_named(em->bm, data, name)) {
- if (name == StringRef(mesh->active_color_attribute)) {
+ if (is_active_color_attribute) {
MEM_SAFE_FREE(mesh->active_color_attribute);
}
- else if (name == StringRef(mesh->default_color_attribute)) {
+ else if (is_default_color_attribute) {
MEM_SAFE_FREE(mesh->default_color_attribute);
}
return true;
_______________________________________________
Bf-blender-cvs mailing list
Bf-blender-cvs@blender.org
List details, subscription details or unsubscribe:
https://lists.blender.org/mailman/listinfo/bf-blender-cvs
