From 05715eaea144b3812c2a788e5ef413a5aa601a06 Mon Sep 17 00:00:00 2001
From: Hans Goudey <h.goudey@me.com>
Date: Thu, 14 Apr 2022 13:04:16 -0500
Subject: Fix: Use after free when removing attribute on instances

Assume that only one layer matches the id and return instead
of continuing to iterate over attributes after the layers have
been potentially reallocated.
---
 source/blender/blenkernel/intern/attribute_access.cc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/source/blender/blenkernel/intern/attribute_access.cc b/source/blender/blenkernel/intern/attribute_access.cc
index d0420b4170a..0ae9fa4356b 100644
--- a/source/blender/blenkernel/intern/attribute_access.cc
+++ b/source/blender/blenkernel/intern/attribute_access.cc
@@ -746,15 +746,14 @@ bool CustomDataAttributes::create_by_move(const AttributeIDRef &attribute_id,
 
 bool CustomDataAttributes::remove(const AttributeIDRef &attribute_id)
 {
-  bool result = false;
   for (const int i : IndexRange(data.totlayer)) {
     const CustomDataLayer &layer = data.layers[i];
     if (custom_data_layer_matches_attribute_id(layer, attribute_id)) {
       CustomData_free_layer(&data, layer.type, size_, i);
-      result = true;
+      return true;
     }
   }
-  return result;
+  return false;
 }
 
 void CustomDataAttributes::reallocate(const int size)
-- 
cgit v1.2.3