diff options
author | Bastien Montagne <montagne29@wanadoo.fr> | 2016-03-03 16:44:05 +0300 |
---|---|---|
committer | Bastien Montagne <montagne29@wanadoo.fr> | 2016-03-03 17:03:23 +0300 |
commit | b47137ae46ce1b6573e139b39172722aa033326d (patch) | |
tree | 6c974f004c85ce298fc763c6a20f43ce431abca8 | |
parent | adafcda0bd484195ccb0d10be38fb78ca127e0f3 (diff) |
Fix T47644: crash (use-after-free) regression from rB7a74738914a66e.
Handling `me` data here is not good idea anyway, we override it completly with data
from `tmp` (crash came from freeing already existing bb from me, while pointer still existed in tmp).
(rediscovered it while working on T47676...).
To be backported to 2.77.
-rw-r--r-- | source/blender/blenkernel/intern/DerivedMesh.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/source/blender/blenkernel/intern/DerivedMesh.c b/source/blender/blenkernel/intern/DerivedMesh.c index 252cee9d80a..3d4c6e8b5b5 100644 --- a/source/blender/blenkernel/intern/DerivedMesh.c +++ b/source/blender/blenkernel/intern/DerivedMesh.c @@ -808,13 +808,12 @@ void DM_to_mesh(DerivedMesh *dm, Mesh *me, Object *ob, CustomDataMask mask, bool } /* Clear selection history */ - tmp.mselect = NULL; + MEM_SAFE_FREE(tmp.mselect); tmp.totselect = 0; - if (me->mselect) { - MEM_freeN(me->mselect); - } + BLI_assert(ELEM(tmp.bb, NULL, me->bb)); if (me->bb) { MEM_freeN(me->bb); + tmp.bb = NULL; } /* skip the listbase */ |