From 48014fbf1432de2ad74ef76280673062d9870af7 Mon Sep 17 00:00:00 2001
From: Bastien Montagne <bastien@blender.org>
Date: Tue, 12 Apr 2022 18:11:08 +0200
Subject: Fix (unreported) use-after-free case in Properties Editor ID
 remapping code.

Regression in rBa21bca0e20a051, found while investigating T97069.
---
 source/blender/editors/space_buttons/space_buttons.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'source/blender/editors/space_buttons')

diff --git a/source/blender/editors/space_buttons/space_buttons.c b/source/blender/editors/space_buttons/space_buttons.c
index 1ec6832c6c3..1d0061ab7d8 100644
--- a/source/blender/editors/space_buttons/space_buttons.c
+++ b/source/blender/editors/space_buttons/space_buttons.c
@@ -861,12 +861,11 @@ static void buttons_id_remap(ScrArea *UNUSED(area),
     for (int i = 0; i < path->len; i++) {
       switch (BKE_id_remapper_apply(mappings, &path->ptr[i].owner_id, ID_REMAP_APPLY_DEFAULT)) {
         case ID_REMAP_RESULT_SOURCE_UNASSIGNED: {
-          if (i == 0) {
-            MEM_SAFE_FREE(sbuts->path);
-          }
-          else {
+          path->len = i;
+          if (i != 0) {
+            /* If the first item in the path is cleared, the whole path is cleared, so no need to
+             * clear further items here, see also at the end of this block. */
             memset(&path->ptr[i], 0, sizeof(path->ptr[i]) * (path->len - i));
-            path->len = i;
           }
           break;
         }
@@ -887,6 +886,9 @@ static void buttons_id_remap(ScrArea *UNUSED(area),
         }
       }
     }
+    if (path->len == 0) {
+      MEM_SAFE_FREE(sbuts->path);
+    }
   }
 
   if (sbuts->texuser) {
-- 
cgit v1.2.3