Fix T94454: Python API curve to mesh use after free without depsgraph

This was caused by a mistake in eb0eb54d96, which removed the clearing of the curve edit mode pointers that are set when creating the temporary data for the conversion. If they are not cleared, the generic ID free function will also free the edit mode data, which is wrong when the source curve is in edit mode.
Referenced by issue #94454, Crash in nvoglv64.dll entering edit mode on curve Referenced by issue #93479, 3.0 Potential candidates for corrective releases
2021-12-29 16:53:02 -06:00 · 2021-12-29 16:53:02 -06:00 · 50c39ff8fe · 2023-02-14 07:39:44 +01:00
parent 512014f042
commit 50c39ff8fe
1 changed files with 15 additions and 2 deletions
--- a/source/blender/blenkernel/intern/mesh_convert.cc
+++ b/source/blender/blenkernel/intern/mesh_convert.cc
@ -901,6 +901,20 @@ static Object *object_for_curve_to_mesh_create(const Object *object)
  return temp_object;
 }

+static void object_for_curve_to_mesh_free(Object *temp_object)
+{
+  /* Clear edit mode pointers that were explicitly copied to the temporary curve. */
+  ID *final_object_data = static_cast<ID *>(temp_object->data);
+  if (GS(final_object_data->name) == ID_CU) {
+    Curve &curve = *reinterpret_cast<Curve *>(final_object_data);
+    curve.editfont = nullptr;
+    curve.editnurb = nullptr;
+  }
+
+  BKE_id_free(nullptr, temp_object->data);
+  BKE_id_free(nullptr, temp_object);
+}
+
 /**
 * Populate `object->runtime.curve_cache` which is then used to create the mesh.
 */
@ -1003,8 +1017,7 @@ static Mesh *mesh_new_from_curve_type_object(const Object *object)

  Mesh *mesh = mesh_new_from_evaluated_curve_type_object(temp_object);

-  BKE_id_free(nullptr, temp_object->data);
-  BKE_id_free(nullptr, temp_object);
+  object_for_curve_to_mesh_free(temp_object);

  return mesh;
 }