From 64fe7139ec10531972ceec7137eaa7fdec7cfef7 Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Sat, 21 Apr 2012 15:56:50 +0000
Subject: fix [#31045]

the blender game engine could reference a freed texface or mcolor array.
---
 source/gameengine/Ketsji/KX_PolygonMaterial.cpp | 32 +++++++++++++++++--------
 source/gameengine/Ketsji/KX_PolygonMaterial.h   | 11 +++++----
 2 files changed, 28 insertions(+), 15 deletions(-)

(limited to 'source/gameengine')

diff --git a/source/gameengine/Ketsji/KX_PolygonMaterial.cpp b/source/gameengine/Ketsji/KX_PolygonMaterial.cpp
index a85ba488fbc..2e39190f4f9 100644
--- a/source/gameengine/Ketsji/KX_PolygonMaterial.cpp
+++ b/source/gameengine/Ketsji/KX_PolygonMaterial.cpp
@@ -60,14 +60,14 @@ KX_PolygonMaterial::KX_PolygonMaterial()
 		: PyObjectPlus(),
 		  RAS_IPolyMaterial(),
 
-	m_tface(NULL),
-	m_mcol(NULL),
 	m_material(NULL),
 #ifdef WITH_PYTHON
 	m_pymaterial(NULL),
 #endif
 	m_pass(0)
 {
+	memset(&m_tface, 0, sizeof(m_tface));
+	memset(&m_mcol, 0, sizeof(m_mcol));
 }
 
 void KX_PolygonMaterial::Initialize(
@@ -98,8 +98,20 @@ void KX_PolygonMaterial::Initialize(
 							light,
 							(texname && texname != ""?true:false), /* if we have a texture we have image */
 							ma?&ma->game:NULL);
-	m_tface = tface;
-	m_mcol = mcol;
+
+	if (tface) {
+		m_tface = *tface;
+	}
+	else {
+		memset(&m_tface, 0, sizeof(m_tface));
+	}
+	if (mcol) {
+		m_mcol = *mcol;
+	}
+	else {
+		memset(&m_mcol, 0, sizeof(m_mcol));
+	}
+
 	m_material = ma;
 #ifdef WITH_PYTHON
 	m_pymaterial = 0;
@@ -119,7 +131,7 @@ KX_PolygonMaterial::~KX_PolygonMaterial()
 
 Image *KX_PolygonMaterial::GetBlenderImage() const
 {
-	return (m_tface) ? m_tface->tpage : NULL;
+	return m_tface.tpage;
 }
 
 bool KX_PolygonMaterial::Activate(RAS_IRasterizer* rasty, TCachingInfo& cachingInfo) const 
@@ -175,9 +187,9 @@ void KX_PolygonMaterial::DefaultActivate(RAS_IRasterizer* rasty, TCachingInfo& c
 
 		if ((m_drawingmode & RAS_IRasterizer::KX_TEX)&& (rasty->GetDrawingMode() == RAS_IRasterizer::KX_TEXTURED))
 		{
-			Image *ima = (Image*)m_tface->tpage;
+			Image *ima = m_tface.tpage;
 			GPU_update_image_time(ima, rasty->GetTime());
-			GPU_set_tpage(m_tface, 1, m_alphablend);
+			GPU_set_tpage(&m_tface, 1, m_alphablend);
 		}
 		else
 			GPU_set_tpage(NULL, 0, 0);
@@ -359,15 +371,15 @@ PyObject* KX_PolygonMaterial::pyattr_get_material(void *self_v, const KX_PYATTRI
 PyObject* KX_PolygonMaterial::pyattr_get_tface(void *self_v, const KX_PYATTRIBUTE_DEF *attrdef)
 {
 	KX_PolygonMaterial* self= static_cast<KX_PolygonMaterial*>(self_v);
-	return PyCapsule_New(self->m_tface, KX_POLYGONMATERIAL_CAPSULE_ID, NULL);
+	return PyCapsule_New(&self->m_tface, KX_POLYGONMATERIAL_CAPSULE_ID, NULL);
 }
 
 PyObject* KX_PolygonMaterial::pyattr_get_gl_texture(void *self_v, const KX_PYATTRIBUTE_DEF *attrdef)
 {
 	KX_PolygonMaterial* self= static_cast<KX_PolygonMaterial*>(self_v);
 	int bindcode= 0;
-	if (self->m_tface && self->m_tface->tpage)
-		bindcode= self->m_tface->tpage->bindcode;
+	if (self->m_tface.tpage)
+		bindcode= self->m_tface.tpage->bindcode;
 	
 	return PyLong_FromSsize_t(bindcode);
 }
diff --git a/source/gameengine/Ketsji/KX_PolygonMaterial.h b/source/gameengine/Ketsji/KX_PolygonMaterial.h
index 1af8a72c1fd..f7ad3973212 100644
--- a/source/gameengine/Ketsji/KX_PolygonMaterial.h
+++ b/source/gameengine/Ketsji/KX_PolygonMaterial.h
@@ -37,6 +37,7 @@
 #include "RAS_MaterialBucket.h"
 #include "RAS_IRasterizer.h"
 #include "DNA_ID.h"
+#include "DNA_meshdata_types.h"
 
 #ifdef WITH_CXX_GUARDEDALLOC
 #include "MEM_guardedalloc.h"
@@ -58,9 +59,9 @@ class KX_PolygonMaterial : public PyObjectPlus, public RAS_IPolyMaterial
 	Py_Header
 private:
 	/** Blender texture face structure. */
-	MTFace*			m_tface;
-	unsigned int*	m_mcol;
-	Material*		m_material;
+	mutable MTFace       m_tface;
+	mutable unsigned int m_mcol;
+	Material*            m_material;
 
 #ifdef WITH_PYTHON
 	PyObject*		m_pymaterial;
@@ -119,12 +120,12 @@ public:
 	 */
 	MTFace* GetMTFace(void) const
 	{
-		return m_tface;
+		return &m_tface;
 	}
 
 	unsigned int* GetMCol(void) const
 	{
-		return m_mcol;
+		return &m_mcol;
 	}
 	virtual void GetMaterialRGBAColor(unsigned char *rgba) const;
 
-- 
cgit v1.2.3