From 21c039f6ef3fb10c0439b096ed7e89d59e3997b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@blender.org>
Date: Thu, 1 Aug 2019 15:14:57 +0200
Subject: Alembic: fix heap-use-after-free error

The mesh can be freed by BKE_mesh_nomain_to_mesh(), so we need to get
the `ME_AUTOSMOOTH` flag before that call, and not after.
---
 source/blender/alembic/intern/abc_mesh.cc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'source')

diff --git a/source/blender/alembic/intern/abc_mesh.cc b/source/blender/alembic/intern/abc_mesh.cc
index 9e6f2dd6b52..6647ca83bd6 100644
--- a/source/blender/alembic/intern/abc_mesh.cc
+++ b/source/blender/alembic/intern/abc_mesh.cc
@@ -1093,10 +1093,11 @@ void AbcMeshReader::readObjectData(Main *bmain, const Alembic::Abc::ISampleSelec
 
   Mesh *read_mesh = this->read_mesh(mesh, sample_sel, MOD_MESHSEQ_READ_ALL, NULL);
   if (read_mesh != mesh) {
-    BKE_mesh_nomain_to_mesh(read_mesh, mesh, m_object, &CD_MASK_MESH, true);
-
     /* XXX fixme after 2.80; mesh->flag isn't copied by BKE_mesh_nomain_to_mesh() */
-    mesh->flag |= (read_mesh->flag & ME_AUTOSMOOTH);
+    /* read_mesh can be freed by BKE_mesh_nomain_to_mesh(), so get the flag before that happens. */
+    short autosmooth = (read_mesh->flag & ME_AUTOSMOOTH);
+    BKE_mesh_nomain_to_mesh(read_mesh, mesh, m_object, &CD_MASK_MESH, true);
+    mesh->flag |= autosmooth;
   }
 
   if (m_settings->validate_meshes) {
-- 
cgit v1.2.3