Fix T96957: creating paint curve crashes

This was essentially double free due to a dangling pointer, because `op->customdata` was not properly set to null after the paint stroke was freed.
Referenced by issue #96957, Creating 'Paint' Curve in Blender 3.2 April 1 build crashes Blender
2022-04-03 10:49:20 +02:00 · 2022-04-03 10:49:20 +02:00 · 1cdf8b19e5 · 2023-02-14 01:52:41 +01:00
parent be699936af
commit 1cdf8b19e5
6 changed files with 11 additions and 7 deletions
--- a/source/blender/editors/sculpt_paint/curves_sculpt_ops.cc
+++ b/source/blender/editors/sculpt_paint/curves_sculpt_ops.cc
@ -710,7 +710,7 @@ static int sculpt_curves_stroke_modal(bContext *C, wmOperator *op, const wmEvent
 {
  SculptCurvesBrushStrokeData *op_data = static_cast<SculptCurvesBrushStrokeData *>(
      op->customdata);
-  int return_value = paint_stroke_modal(C, op, event, op_data->stroke);
+  int return_value = paint_stroke_modal(C, op, event, &op_data->stroke);
  if (ELEM(return_value, OPERATOR_FINISHED, OPERATOR_CANCELLED)) {
    MEM_delete(op_data);
  }
--- a/source/blender/editors/sculpt_paint/paint_image_ops_paint.cc
+++ b/source/blender/editors/sculpt_paint/paint_image_ops_paint.cc
@ -497,7 +497,7 @@ static int paint_exec(bContext *C, wmOperator *op)

 static int paint_modal(bContext *C, wmOperator *op, const wmEvent *event)
 {
-  return paint_stroke_modal(C, op, event, static_cast<PaintStroke *>(op->customdata));
+  return paint_stroke_modal(C, op, event, reinterpret_cast<PaintStroke **>(&op->customdata));
 }

 static void paint_cancel(bContext *C, wmOperator *op)
--- a/source/blender/editors/sculpt_paint/paint_intern.h
+++ b/source/blender/editors/sculpt_paint/paint_intern.h
@ -88,7 +88,7 @@ struct wmKeyMap *paint_stroke_modal_keymap(struct wmKeyConfig *keyconf);
 int paint_stroke_modal(struct bContext *C,
                       struct wmOperator *op,
                       const struct wmEvent *event,
-                       struct PaintStroke *stroke);
+                       struct PaintStroke **stroke_p);
 int paint_stroke_exec(struct bContext *C, struct wmOperator *op, struct PaintStroke *stroke);
 void paint_stroke_cancel(struct bContext *C, struct wmOperator *op, struct PaintStroke *stroke);
 bool paint_stroke_flipped(struct PaintStroke *stroke);
--- a/source/blender/editors/sculpt_paint/paint_stroke.c
+++ b/source/blender/editors/sculpt_paint/paint_stroke.c
@ -1389,10 +1389,11 @@ static void paint_stroke_line_constrain(PaintStroke *stroke, float mouse[2])
  }
 }

-int paint_stroke_modal(bContext *C, wmOperator *op, const wmEvent *event, PaintStroke *stroke)
+int paint_stroke_modal(bContext *C, wmOperator *op, const wmEvent *event, PaintStroke **stroke_p)
 {
  Paint *p = BKE_paint_get_active_from_context(C);
  ePaintMode mode = BKE_paintmode_get_active_from_context(C);
+  PaintStroke *stroke = *stroke_p;
  Brush *br = stroke->brush = BKE_paint_brush(p);
  PaintSample sample_average;
  float mouse[2];
@ -1441,6 +1442,7 @@ int paint_stroke_modal(bContext *C, wmOperator *op, const wmEvent *event, PaintS
  /* one time initialization */
  if (!stroke->stroke_init) {
    if (paint_stroke_curve_end(C, op, stroke)) {
+      *stroke_p = NULL;
      return OPERATOR_FINISHED;
    }

@ -1497,12 +1499,14 @@ int paint_stroke_modal(bContext *C, wmOperator *op, const wmEvent *event, PaintS
      paint_stroke_line_constrain(stroke, mouse);
      paint_stroke_line_end(C, op, stroke, mouse);
      stroke_done(C, op, stroke);
+      *stroke_p = NULL;
      return OPERATOR_FINISHED;
    }
  }
  else if (ELEM(event->type, EVT_RETKEY, EVT_SPACEKEY)) {
    paint_stroke_line_end(C, op, stroke, sample_average.mouse);
    stroke_done(C, op, stroke);
+    *stroke_p = NULL;
    return OPERATOR_FINISHED;
  }
  else if (br->flag & BRUSH_LINE) {
--- a/source/blender/editors/sculpt_paint/paint_vertex.c
+++ b/source/blender/editors/sculpt_paint/paint_vertex.c
@ -2596,7 +2596,7 @@ static void wpaint_cancel(bContext *C, wmOperator *op)

 static int wpaint_modal(bContext *C, wmOperator *op, const wmEvent *event)
 {
-  return paint_stroke_modal(C, op, event, op->customdata);
+  return paint_stroke_modal(C, op, event, (struct PaintStroke **)&op->customdata);
 }

 void PAINT_OT_weight_paint(wmOperatorType *ot)
@ -3551,7 +3551,7 @@ static void vpaint_cancel(bContext *C, wmOperator *op)

 static int vpaint_modal(bContext *C, wmOperator *op, const wmEvent *event)
 {
-  return paint_stroke_modal(C, op, event, op->customdata);
+  return paint_stroke_modal(C, op, event, (struct PaintStroke **)&op->customdata);
 }

 void PAINT_OT_vertex_paint(wmOperatorType *ot)
--- a/source/blender/editors/sculpt_paint/sculpt.c
+++ b/source/blender/editors/sculpt_paint/sculpt.c
@ -5399,7 +5399,7 @@ static void sculpt_brush_stroke_cancel(bContext *C, wmOperator *op)

 static int sculpt_brush_stroke_modal(bContext *C, wmOperator *op, const wmEvent *event)
 {
-  return paint_stroke_modal(C, op, event, op->customdata);
+  return paint_stroke_modal(C, op, event, (struct PaintStroke **)&op->customdata);
 }

 void SCULPT_OT_brush_stroke(wmOperatorType *ot)