Fix T53347: Vertex paint crash on undo/exit
authorCampbell Barton <ideasman42@gmail.com>
Sun, 19 Nov 2017 05:45:27 +0000 (16:45 +1100)
committerCampbell Barton <ideasman42@gmail.com>
Sun, 19 Nov 2017 05:45:27 +0000 (16:45 +1100)
source/blender/blenkernel/BKE_subsurf.h
source/blender/blenkernel/intern/subsurf_ccg.c

index f52bb2ab9cbc800dcf4698ba468b4857028cfe6c..92170325113df91bf8a53d27af62dc37f20fbf29 100644 (file)
@@ -125,6 +125,8 @@ typedef struct CCGDerivedMesh {
        struct CCGFace **gridFaces;
        struct DMFlagMat *gridFlagMats;
        unsigned int **gridHidden;
+       /* Elements in arrays above. */
+       unsigned int numGrid;
 
        struct {
                struct MultiresModifierData *mmd;
index 0cdc97c829fd5195739b6469259b8f739b8589bc..f8025f8df84a2269e07b3e713563d29c4e598ed8 100644 (file)
@@ -4031,10 +4031,12 @@ static void ccgDM_release(DerivedMesh *dm)
                if (ccgdm->gridOffset) MEM_freeN(ccgdm->gridOffset);
                if (ccgdm->gridFlagMats) MEM_freeN(ccgdm->gridFlagMats);
                if (ccgdm->gridHidden) {
-                       int i, numGrids = dm->getNumGrids(dm);
-                       for (i = 0; i < numGrids; i++) {
-                               if (ccgdm->gridHidden[i])
+                       /* Using dm->getNumGrids(dm) accesses freed memory */
+                       uint numGrids = ccgdm->numGrid;
+                       for (uint i = 0; i < numGrids; i++) {
+                               if (ccgdm->gridHidden[i]) {
                                        MEM_freeN(ccgdm->gridHidden[i]);
+                               }
                        }
                        MEM_freeN(ccgdm->gridHidden);
                }
@@ -4338,6 +4340,7 @@ static void ccgdm_create_grids(DerivedMesh *dm)
        ccgdm->gridFaces = gridFaces;
        ccgdm->gridOffset = gridOffset;
        ccgdm->gridFlagMats = gridFlagMats;
+       ccgdm->numGrid = numGrids;
 }
 
 static CCGElem **ccgDM_getGridData(DerivedMesh *dm)