Depsgraph: Fix heap use after free when freeing scene with compositor
authorSergey Sharybin <sergey.vfx@gmail.com>
Wed, 19 Jul 2017 13:06:25 +0000 (15:06 +0200)
committerSergey Sharybin <sergey.vfx@gmail.com>
Wed, 19 Jul 2017 13:20:07 +0000 (15:20 +0200)
This is the fake ID nature of compositor again. Need to discard such
pointers before freeing datablock even for scenes (before it was done
for objects only).

source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc

index 28d5db4063b67dca514ae92f71deae15c6e58994..f7e08915531588c5eb19c04d4655c29bf2c26c40 100644 (file)
@@ -670,6 +670,9 @@ void deg_free_copy_on_write_datablock(ID *id_cow)
                return;
        }
        const short type = GS(id_cow->name);
+#ifdef NESTED_ID_NASTY_WORKAROUND
+       nested_id_hack_discard_pointers(id_cow);
+#endif
        switch (type) {
                case ID_OB:
                {
@@ -696,15 +699,13 @@ void deg_free_copy_on_write_datablock(ID *id_cow)
                        /* Special case for scene: we use explicit function call which
                         * ensures no access to other datablocks is done.
                         */
-                       BKE_scene_free_ex((Scene *)id_cow, false);
+                       Scene *scene = (Scene *)id_cow;
+                       BKE_scene_free_ex(scene, false);
                        BKE_libblock_free_data(id_cow, false);
                        id_cow->name[0] = '\0';
                        return;
                }
        }
-#ifdef NESTED_ID_NASTY_WORKAROUND
-       nested_id_hack_discard_pointers(id_cow);
-#endif
        BKE_libblock_free_datablock(id_cow);
        BKE_libblock_free_data(id_cow, false);
        /* Signal datablock as not being expanded. */