From 4389067929d9a57923b7a85ec29b8ca9633fef29 Mon Sep 17 00:00:00 2001 From: Julian Eisel Date: Thu, 30 Sep 2021 16:33:25 +0200 Subject: Fix possible use-after-free in drag-drop handling logic Would happen when there were multiple drag items in parallel. There was a listbase constructed with twice the same item, even though that item would be deleted after it was handled the first time. --- source/blender/windowmanager/intern/wm_event_system.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source/blender/windowmanager/intern/wm_event_system.c') diff --git a/source/blender/windowmanager/intern/wm_event_system.c b/source/blender/windowmanager/intern/wm_event_system.c index 14fcc1d69cc..537d5264ba9 100644 --- a/source/blender/windowmanager/intern/wm_event_system.c +++ b/source/blender/windowmanager/intern/wm_event_system.c @@ -3025,7 +3025,7 @@ static int wm_handlers_do_intern(bContext *C, wmEvent *event, ListBase *handlers /* Other drop custom types allowed. */ if (event->custom == EVT_DATA_DRAGDROP) { ListBase *lb = (ListBase *)event->customdata; - LISTBASE_FOREACH (wmDrag *, drag, lb) { + LISTBASE_FOREACH_MUTABLE (wmDrag *, drag, lb) { if (drop->poll(C, drag, event)) { /* Optionally copy drag information to operator properties. Don't call it if the * operator fails anyway, it might do more than just set properties (e.g. @@ -3036,7 +3036,8 @@ static int wm_handlers_do_intern(bContext *C, wmEvent *event, ListBase *handlers /* Pass single matched wmDrag onto the operator. */ BLI_remlink(lb, drag); - ListBase single_lb = {drag, drag}; + ListBase single_lb = {0}; + BLI_addtail(&single_lb, drag); event->customdata = &single_lb; int op_retval = wm_operator_call_internal( -- cgit v1.2.3