From c0fdf16561034f85aadae8a513db16144609b821 Mon Sep 17 00:00:00 2001 From: Hans Goudey Date: Wed, 29 Dec 2021 16:53:02 -0600 Subject: Fix T94454: Python API curve to mesh use after free without depsgraph This was caused by a mistake in eb0eb54d9644c5139, which removed the clearing of the curve edit mode pointers that are set when creating the temporary data for the conversion. If they are not cleared, the generic ID free function will also free the edit mode data, which is wrong when the source curve is in edit mode. --- source/blender/blenkernel/intern/mesh_convert.cc | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'source/blender/blenkernel') diff --git a/source/blender/blenkernel/intern/mesh_convert.cc b/source/blender/blenkernel/intern/mesh_convert.cc index 43242e3a093..12fa9d16fd1 100644 --- a/source/blender/blenkernel/intern/mesh_convert.cc +++ b/source/blender/blenkernel/intern/mesh_convert.cc @@ -901,6 +901,20 @@ static Object *object_for_curve_to_mesh_create(const Object *object) return temp_object; } +static void object_for_curve_to_mesh_free(Object *temp_object) +{ + /* Clear edit mode pointers that were explicitly copied to the temporary curve. */ + ID *final_object_data = static_cast(temp_object->data); + if (GS(final_object_data->name) == ID_CU) { + Curve &curve = *reinterpret_cast(final_object_data); + curve.editfont = nullptr; + curve.editnurb = nullptr; + } + + BKE_id_free(nullptr, temp_object->data); + BKE_id_free(nullptr, temp_object); +} + /** * Populate `object->runtime.curve_cache` which is then used to create the mesh. */ @@ -1003,8 +1017,7 @@ static Mesh *mesh_new_from_curve_type_object(const Object *object) Mesh *mesh = mesh_new_from_evaluated_curve_type_object(temp_object); - BKE_id_free(nullptr, temp_object->data); - BKE_id_free(nullptr, temp_object); + object_for_curve_to_mesh_free(temp_object); return mesh; } -- cgit v1.2.3