blender
/
blender
135
403
Fork 586
Code Issues 6.2k Pull Requests 758 Projects 19 Wiki Activity

Fix use-after-free error when handling events that close windows 

Regression in [0] caused operations such as file-load or file-new
from any window besides the first to write into the freed:
`wmWindow.eventstate`.

Resolve by copying the event instead of restoring the region relative
cursor position after modifying it.

[0]: 789b1617f7
This commit is contained in:
Campbell Barton 2022-07-04 16:11:31 +10:00
parent cbb897070d
commit c5d3846b10
Notes: blender-bot 2023-02-14 00:09:06 +01:00 
Referenced by issue #98661, 3.2: Potential candidates for corrective releases
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
source/blender/windowmanager/intern/wm_event_system.cc
View File

@ -1378,22 +1378,20 @@ static int wm_operator_invoke(bContext *C,
}
if (op->type->invoke && event) {
/* Temporarily write into `mval` (not technically `const` correct) but this is restored. */
const int mval_prev[2] = {UNPACK2(event->mval)};
wm_region_mouse_co(C, (wmEvent *)event);
/* Make a copy of the event as it's `const` and the #wmEvent.mval to be written into. */
wmEvent event_temp = *event;
wm_region_mouse_co(C, &event_temp);
if (op->type->flag & OPTYPE_UNDO) {
wm->op_undo_depth++;
}
retval = op->type->invoke(C, op, event);
retval = op->type->invoke(C, op, &event_temp);
OPERATOR_RETVAL_CHECK(retval);
if (op->type->flag & OPTYPE_UNDO && CTX_wm_manager(C) == wm) {
wm->op_undo_depth--;
}
copy_v2_v2_int(((wmEvent *)event)->mval, mval_prev);
}
else if (op->type->exec) {
if (op->type->flag & OPTYPE_UNDO) {