BGE: fix use after free
authorCampbell Barton <ideasman42@gmail.com>
Mon, 15 Jun 2015 10:56:44 +0000 (20:56 +1000)
committerCampbell Barton <ideasman42@gmail.com>
Mon, 15 Jun 2015 10:56:44 +0000 (20:56 +1000)
source/gameengine/Ketsji/KX_Scene.cpp

index 2adc20b0288c3d553317d258c4e7f890d917ebae..d3ee219b2f498ce140383672854644c5139b4384 100644 (file)
@@ -1080,6 +1080,16 @@ int KX_Scene::NewRemoveObject(class CValue* gameobj)
                group->RemoveInstanceObject(newobj);
        
        newobj->RemoveMeshes();
+
+       switch (newobj->GetGameObjectType()) {
+               case SCA_IObject::OBJ_CAMERA:
+                       m_cameras.remove((KX_Camera *)newobj);
+                       break;
+               case SCA_IObject::OBJ_TEXT:
+                       m_fonts.remove((KX_FontObject *)newobj);
+                       break;
+       }
+
        ret = 1;
        if (newobj->GetGameObjectType()==SCA_IObject::OBJ_LIGHT && m_lightlist->RemoveValue(newobj))
                ret = newobj->Release();
@@ -1095,7 +1105,10 @@ int KX_Scene::NewRemoveObject(class CValue* gameobj)
                ret = newobj->Release();
        if (m_animatedlist->RemoveValue(newobj))
                ret = newobj->Release();
-               
+
+       /* Warning 'newobj' maye be freed now, only compare, don't access */
+
+
        if (newobj == m_active_camera)
        {
                //no AddRef done on m_active_camera so no Release
@@ -1103,12 +1116,6 @@ int KX_Scene::NewRemoveObject(class CValue* gameobj)
                m_active_camera = NULL;
        }
 
-       // in case this is a camera
-       m_cameras.remove((KX_Camera*)newobj);
-
-       // in case this is a font
-       m_fonts.remove((KX_FontObject*)newobj);
-
        /* currently does nothing, keep in case we need to Unregister something */
 #if 0
        if (m_sceneConverter)