diff options
author | Julian Eisel <julian@blender.org> | 2021-09-30 17:33:25 +0300 |
---|---|---|
committer | Julian Eisel <julian@blender.org> | 2021-09-30 17:39:09 +0300 |
commit | 4389067929d9a57923b7a85ec29b8ca9633fef29 (patch) | |
tree | 5409c1a51ff8460bad68f85df4e2c5ae00465142 /source/blender/windowmanager/intern/wm_event_system.c | |
parent | 4ee2d9df428d16f07e351f5554b951ae75804ea0 (diff) |
Fix possible use-after-free in drag-drop handling logic
Would happen when there were multiple drag items in parallel. There was
a listbase constructed with twice the same item, even though that item
would be deleted after it was handled the first time.
Diffstat (limited to 'source/blender/windowmanager/intern/wm_event_system.c')
-rw-r--r-- | source/blender/windowmanager/intern/wm_event_system.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/source/blender/windowmanager/intern/wm_event_system.c b/source/blender/windowmanager/intern/wm_event_system.c index 14fcc1d69cc..537d5264ba9 100644 --- a/source/blender/windowmanager/intern/wm_event_system.c +++ b/source/blender/windowmanager/intern/wm_event_system.c @@ -3025,7 +3025,7 @@ static int wm_handlers_do_intern(bContext *C, wmEvent *event, ListBase *handlers /* Other drop custom types allowed. */ if (event->custom == EVT_DATA_DRAGDROP) { ListBase *lb = (ListBase *)event->customdata; - LISTBASE_FOREACH (wmDrag *, drag, lb) { + LISTBASE_FOREACH_MUTABLE (wmDrag *, drag, lb) { if (drop->poll(C, drag, event)) { /* Optionally copy drag information to operator properties. Don't call it if the * operator fails anyway, it might do more than just set properties (e.g. @@ -3036,7 +3036,8 @@ static int wm_handlers_do_intern(bContext *C, wmEvent *event, ListBase *handlers /* Pass single matched wmDrag onto the operator. */ BLI_remlink(lb, drag); - ListBase single_lb = {drag, drag}; + ListBase single_lb = {0}; + BLI_addtail(&single_lb, drag); event->customdata = &single_lb; int op_retval = wm_operator_call_internal( |