Depsgraph: Fix heap use after free when freeing scene with compositor

This is the fake ID nature of compositor again. Need to discard such
pointers before freeing datablock even for scenes (before it was done
for objects only).

1 files changed, 5 insertions, 4 deletions

diff --git a/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc b/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc
index 28d5db4063b..f7e08915531 100644
--- a/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc
+++ b/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc
@@ -670,6 +670,9 @@ void deg_free_copy_on_write_datablock(ID *id_cow)
 		return;
 	}
 	const short type = GS(id_cow->name);
+#ifdef NESTED_ID_NASTY_WORKAROUND
+	nested_id_hack_discard_pointers(id_cow);
+#endif
 	switch (type) {
 		case ID_OB:
 		{
@@ -696,15 +699,13 @@ void deg_free_copy_on_write_datablock(ID *id_cow)
 			/* Special case for scene: we use explicit function call which
 			 * ensures no access to other datablocks is done.
 			 */
-			BKE_scene_free_ex((Scene *)id_cow, false);
+			Scene *scene = (Scene *)id_cow;
+			BKE_scene_free_ex(scene, false);
 			BKE_libblock_free_data(id_cow, false);
 			id_cow->name[0] = '\0';
 			return;
 		}
 	}
-#ifdef NESTED_ID_NASTY_WORKAROUND
-	nested_id_hack_discard_pointers(id_cow);
-#endif
 	BKE_libblock_free_datablock(id_cow);
 	BKE_libblock_free_data(id_cow, false);
 	/* Signal datablock as not being expanded. */