From aa4ae796c8a7a19052614cf161e62fff49c856fe Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Mon, 15 Jun 2015 20:56:44 +1000 Subject: BGE: fix use after free --- source/gameengine/Ketsji/KX_Scene.cpp | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/source/gameengine/Ketsji/KX_Scene.cpp b/source/gameengine/Ketsji/KX_Scene.cpp index 25755f7127b..49eda1d700a 100644 --- a/source/gameengine/Ketsji/KX_Scene.cpp +++ b/source/gameengine/Ketsji/KX_Scene.cpp @@ -1077,6 +1077,16 @@ int KX_Scene::NewRemoveObject(class CValue* gameobj) group->RemoveInstanceObject(newobj); newobj->RemoveMeshes(); + + switch (newobj->GetGameObjectType()) { + case SCA_IObject::OBJ_CAMERA: + m_cameras.remove((KX_Camera *)newobj); + break; + case SCA_IObject::OBJ_TEXT: + m_fonts.remove((KX_FontObject *)newobj); + break; + } + ret = 1; if (newobj->GetGameObjectType()==SCA_IObject::OBJ_LIGHT && m_lightlist->RemoveValue(newobj)) ret = newobj->Release(); @@ -1092,7 +1102,10 @@ int KX_Scene::NewRemoveObject(class CValue* gameobj) ret = newobj->Release(); if (m_animatedlist->RemoveValue(newobj)) ret = newobj->Release(); - + + /* Warning 'newobj' maye be freed now, only compare, don't access */ + + if (newobj == m_active_camera) { //no AddRef done on m_active_camera so no Release @@ -1100,12 +1113,6 @@ int KX_Scene::NewRemoveObject(class CValue* gameobj) m_active_camera = NULL; } - // in case this is a camera - m_cameras.remove((KX_Camera*)newobj); - - // in case this is a font - m_fonts.remove((KX_FontObject*)newobj); - /* currently does nothing, keep in case we need to Unregister something */ #if 0 if (m_sceneConverter) -- cgit v1.2.3