From 102631486b480d98c2d9b921a95472688bba8416 Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Tue, 22 Jan 2019 12:51:14 +0100 Subject: Fix potential invalid memory access in surface force field BVH tree. Free the BVH tree immediately along with the mesh, otherwise we might access invalid mesh data. Differential Revision: https://developer.blender.org/D4201 --- source/blender/modifiers/intern/MOD_surface.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'source/blender/modifiers') diff --git a/source/blender/modifiers/intern/MOD_surface.c b/source/blender/modifiers/intern/MOD_surface.c index c5fa510f2e0..a7198b5721e 100644 --- a/source/blender/modifiers/intern/MOD_surface.c +++ b/source/blender/modifiers/intern/MOD_surface.c @@ -96,8 +96,15 @@ static void deformVerts( SurfaceModifierData *surmd = (SurfaceModifierData *) md; const int cfra = (int)DEG_get_ctime(ctx->depsgraph); + /* Free mesh and BVH cache. */ + if (surmd->bvhtree) { + free_bvhtree_from_mesh(surmd->bvhtree); + MEM_SAFE_FREE(surmd->bvhtree); + } + if (surmd->mesh) { BKE_id_free(NULL, surmd->mesh); + surmd->mesh = NULL; } if (mesh) { @@ -168,10 +175,7 @@ static void deformVerts( surmd->cfra = cfra; - if (surmd->bvhtree) - free_bvhtree_from_mesh(surmd->bvhtree); - else - surmd->bvhtree = MEM_callocN(sizeof(BVHTreeFromMesh), "BVHTreeFromMesh"); + surmd->bvhtree = MEM_callocN(sizeof(BVHTreeFromMesh), "BVHTreeFromMesh"); if (surmd->mesh->totpoly) BKE_bvhtree_from_mesh_get(surmd->bvhtree, surmd->mesh, BVHTREE_FROM_LOOPTRI, 2); -- cgit v1.2.3