diff options
author | Campbell Barton <campbell@blender.org> | 2022-07-15 15:47:20 +0300 |
---|---|---|
committer | Thomas Dinges <blender@dingto.org> | 2022-07-15 15:47:20 +0300 |
commit | 3d6f6715595ea48004132d934c21f75eac85f51d (patch) | |
tree | 973d3b75603b916a85bc6098a71cb119cf50938a | |
parent | a009159314c7ff1d9d0b4347433e078339f93c55 (diff) |
Fix use-after-free error when handling events that close windows
Regression in [0] caused operations such as file-load or file-new
from any window besides the first to write into the freed:
`wmWindow.eventstate`.
Resolve by copying the event instead of restoring the region relative
cursor position after modifying it.
[0]: 789b1617f70e07f1c9bcb5253f1233acacbf6c8a
-rw-r--r-- | source/blender/windowmanager/intern/wm_event_system.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/source/blender/windowmanager/intern/wm_event_system.c b/source/blender/windowmanager/intern/wm_event_system.c index 43b4d4a90f0..c2be9514b2c 100644 --- a/source/blender/windowmanager/intern/wm_event_system.c +++ b/source/blender/windowmanager/intern/wm_event_system.c @@ -1377,22 +1377,20 @@ static int wm_operator_invoke(bContext *C, } if (op->type->invoke && event) { - /* Temporarily write into `mval` (not technically `const` correct) but this is restored. */ - int mval_prev[2] = {UNPACK2(event->mval)}; - wm_region_mouse_co(C, (wmEvent *)event); + /* Make a copy of the event as it's `const` and the #wmEvent.mval to be written into. */ + wmEvent event_temp = *event; + wm_region_mouse_co(C, &event_temp); if (op->type->flag & OPTYPE_UNDO) { wm->op_undo_depth++; } - retval = op->type->invoke(C, op, event); + retval = op->type->invoke(C, op, &event_temp); OPERATOR_RETVAL_CHECK(retval); if (op->type->flag & OPTYPE_UNDO && CTX_wm_manager(C) == wm) { wm->op_undo_depth--; } - - copy_v2_v2_int(((wmEvent *)event)->mval, mval_prev); } else if (op->type->exec) { if (op->type->flag & OPTYPE_UNDO) { |