From edfe2d669146cec3f89d722bfd30502cbdf59795 Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Mon, 15 Jun 2015 20:56:44 +1000
Subject: BGE: fix use after free

---
 source/gameengine/Ketsji/KX_Scene.cpp | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

(limited to 'source/gameengine/Ketsji/KX_Scene.cpp')

diff --git a/source/gameengine/Ketsji/KX_Scene.cpp b/source/gameengine/Ketsji/KX_Scene.cpp
index 2adc20b0288..d3ee219b2f4 100644
--- a/source/gameengine/Ketsji/KX_Scene.cpp
+++ b/source/gameengine/Ketsji/KX_Scene.cpp
@@ -1080,6 +1080,16 @@ int KX_Scene::NewRemoveObject(class CValue* gameobj)
 		group->RemoveInstanceObject(newobj);
 	
 	newobj->RemoveMeshes();
+
+	switch (newobj->GetGameObjectType()) {
+		case SCA_IObject::OBJ_CAMERA:
+			m_cameras.remove((KX_Camera *)newobj);
+			break;
+		case SCA_IObject::OBJ_TEXT:
+			m_fonts.remove((KX_FontObject *)newobj);
+			break;
+	}
+
 	ret = 1;
 	if (newobj->GetGameObjectType()==SCA_IObject::OBJ_LIGHT && m_lightlist->RemoveValue(newobj))
 		ret = newobj->Release();
@@ -1095,7 +1105,10 @@ int KX_Scene::NewRemoveObject(class CValue* gameobj)
 		ret = newobj->Release();
 	if (m_animatedlist->RemoveValue(newobj))
 		ret = newobj->Release();
-		
+
+	/* Warning 'newobj' maye be freed now, only compare, don't access */
+
+
 	if (newobj == m_active_camera)
 	{
 		//no AddRef done on m_active_camera so no Release
@@ -1103,12 +1116,6 @@ int KX_Scene::NewRemoveObject(class CValue* gameobj)
 		m_active_camera = NULL;
 	}
 
-	// in case this is a camera
-	m_cameras.remove((KX_Camera*)newobj);
-
-	// in case this is a font
-	m_fonts.remove((KX_FontObject*)newobj);
-
 	/* currently does nothing, keep in case we need to Unregister something */
 #if 0
 	if (m_sceneConverter)
-- 
cgit v1.2.3