From a750acab78cf38ca8f010c4ac81ec948faa79dd5 Mon Sep 17 00:00:00 2001
From: Julian Eisel <julian@blender.org>
Date: Mon, 2 Nov 2020 21:47:08 +0100
Subject: Fix possible use-after-free when closing Blender with File Browser
 open

I think there wasn't actually any issue currently, but only by luck. We still
passed around and NULL-checked a pointer to freed memory (the file operator,
`SpaceFile.op`) which is easy to break and should be avoided.
Noticed while testing D8598.
---
 source/blender/windowmanager/intern/wm_event_system.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'source/blender/windowmanager')

diff --git a/source/blender/windowmanager/intern/wm_event_system.c b/source/blender/windowmanager/intern/wm_event_system.c
index 4f2be59eb1a..a6b8eb9d3fd 100644
--- a/source/blender/windowmanager/intern/wm_event_system.c
+++ b/source/blender/windowmanager/intern/wm_event_system.c
@@ -1731,8 +1731,21 @@ void WM_event_remove_handlers(bContext *C, ListBase *handlers)
     BLI_assert(handler_base->type != 0);
     if (handler_base->type == WM_HANDLER_TYPE_OP) {
       wmEventHandler_Op *handler = (wmEventHandler_Op *)handler_base;
+
       if (handler->op) {
         wmWindow *win = CTX_wm_window(C);
+
+        if (handler->is_fileselect) {
+          /* Exit File Browsers refering to this handler/operator. */
+          LISTBASE_FOREACH (wmWindow *, temp_win, &wm->windows) {
+            ScrArea *file_area = ED_fileselect_handler_area_find(temp_win, handler->op);
+            if (!file_area) {
+              continue;
+            }
+            ED_area_exit(C, file_area);
+          }
+        }
+
         if (handler->op->type->cancel) {
           ScrArea *area = CTX_wm_area(C);
           ARegion *region = CTX_wm_region(C);
-- 
cgit v1.2.3