From eb771c78cd1199cd35af7ded4d4a13f8a62430c6 Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Tue, 16 Oct 2012 14:35:37 +0000
Subject: fix for free NULL pointer in BM_vert_splice() and BM_iter_as_arrayN()
 failed with BM_VERTS_OF_MESH/BM_EDGES_OF_MESH/BM_FACES_OF_MESH.

---
 source/blender/bmesh/intern/bmesh_core.c      |  8 +++++---
 source/blender/bmesh/intern/bmesh_iterators.c | 16 ++++++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/source/blender/bmesh/intern/bmesh_core.c b/source/blender/bmesh/intern/bmesh_core.c
index 2836f2ce1d4..16c7f6f1539 100644
--- a/source/blender/bmesh/intern/bmesh_core.c
+++ b/source/blender/bmesh/intern/bmesh_core.c
@@ -1813,10 +1813,12 @@ int BM_vert_splice(BMesh *bm, BMVert *v, BMVert *vtarget)
 
 	/* we can't modify the vert while iterating so first allocate an array of loops */
 	loops = BM_iter_as_arrayN(bm, BM_LOOPS_OF_VERT, v, &loops_tot);
-	for (i = 0; i < loops_tot; i++) {
-		loops[i]->v = vtarget;
+	if (loops) {
+		for (i = 0; i < loops_tot; i++) {
+			loops[i]->v = vtarget;
+		}
+		MEM_freeN(loops);
 	}
-	MEM_freeN(loops);
 
 	/* move all the edges from v's disk to vtarget's disk */
 	while ((e = v->e)) {
diff --git a/source/blender/bmesh/intern/bmesh_iterators.c b/source/blender/bmesh/intern/bmesh_iterators.c
index 726127fdcad..10f0df78fd0 100644
--- a/source/blender/bmesh/intern/bmesh_iterators.c
+++ b/source/blender/bmesh/intern/bmesh_iterators.c
@@ -120,6 +120,21 @@ void *BM_iter_as_arrayN(BMesh *bm, const char itype, void *data, int *r_len)
 {
 	BMIter iter;
 
+	/* we can't rely on coun't being set */
+	switch (itype) {
+		case BM_VERTS_OF_MESH:
+			iter.count = bm->totvert;
+			break;
+		case BM_EDGES_OF_MESH:
+			iter.count = bm->totedge;
+			break;
+		case BM_FACES_OF_MESH:
+			iter.count = bm->totface;
+			break;
+		default:
+			break;
+	}
+
 	if (BM_iter_init(&iter, bm, itype, data) && iter.count > 0) {
 		BMElem *ele;
 		BMElem **array = MEM_mallocN(sizeof(ele) * iter.count, __func__);
@@ -229,6 +244,7 @@ void  *bmiter__vert_of_mesh_step(BMIter *iter)
 void  bmiter__edge_of_mesh_begin(BMIter *iter)
 {
 	BLI_mempool_iternew(iter->bm->epool, &iter->pooliter);
+	iter->count = iter->bm->totedge;  /* */
 }
 
 void  *bmiter__edge_of_mesh_step(BMIter *iter)
-- 
cgit v1.2.3