From 35e50c170c4a596c947bd6e642a3a2c64ac114f7 Mon Sep 17 00:00:00 2001 From: Hans Goudey Date: Wed, 21 Oct 2020 08:25:46 -0500 Subject: Fix panel type use after free when reloading scripts In order to prevent the panel code from using the type after it is freed, the field needs to be set to NULL. This needs to be done recursively for subpanels as well as top-level panels. --- source/blender/makesrna/intern/rna_ui.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'source') diff --git a/source/blender/makesrna/intern/rna_ui.c b/source/blender/makesrna/intern/rna_ui.c index d637e011777..5179c4e538a 100644 --- a/source/blender/makesrna/intern/rna_ui.c +++ b/source/blender/makesrna/intern/rna_ui.c @@ -180,6 +180,17 @@ static void panel_draw_header_preset(const bContext *C, Panel *panel) RNA_parameter_list_free(&list); } +static void remove_panel_type_recursive(Panel *panel, const PanelType *pt) +{ + if (panel->type == pt) { + panel->type = NULL; + } + + LISTBASE_FOREACH (Panel *, child_panel, &panel->children) { + remove_panel_type_recursive(child_panel, pt); + } +} + static void rna_Panel_unregister(Main *bmain, StructRNA *type) { ARegionType *art; @@ -220,9 +231,7 @@ static void rna_Panel_unregister(Main *bmain, StructRNA *type) LISTBASE_FOREACH (ARegion *, region, regionbase) { if (region->type == art) { LISTBASE_FOREACH (Panel *, panel, ®ion->panels) { - if (panel->type == pt) { - panel->type = NULL; - } + remove_panel_type_recursive(panel, pt); } } /* The unregistered panel might have had a template that added instanced panels, -- cgit v1.2.3