From e178a273fa7f5c67a617d682b1387cb42a6987cb Mon Sep 17 00:00:00 2001
From: Fen <chemicalcrux>
Date: Fri, 18 Jun 2021 11:13:09 +1000
Subject: Fix T89247: Dereference arguments to comparison function correctly

`bm_face_len_cmp` incorrectly interpreted its arguments as `BMFace *`
instead of `BMFace **`, causing an out-of-bounds read.

Ref D11637
---
 source/blender/bmesh/tools/bmesh_region_match.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'source/blender/bmesh/tools')

diff --git a/source/blender/bmesh/tools/bmesh_region_match.c b/source/blender/bmesh/tools/bmesh_region_match.c
index 561b00544b5..c538d5b17cd 100644
--- a/source/blender/bmesh/tools/bmesh_region_match.c
+++ b/source/blender/bmesh/tools/bmesh_region_match.c
@@ -553,7 +553,8 @@ static void bm_uuidwalk_pass_add(UUIDWalk *uuidwalk,
 
 static int bm_face_len_cmp(const void *v1, const void *v2)
 {
-  const BMFace *f1 = v1, *f2 = v2;
+  const BMFace *f1 = *((BMFace **)v1);
+  const BMFace *f2 = *((BMFace **)v2);
 
   if (f1->len > f2->len) {
     return 1;
-- 
cgit v1.2.3