From ae9665bc449f757b4a885e4958440e38dfae6133 Mon Sep 17 00:00:00 2001
From: Bastien Montagne <bastien@blender.org>
Date: Tue, 22 Aug 2023 17:26:37 +0200
Subject: [PATCH] Fix (unreported) invalid memory access in new 'newer
 blendfile version' code.

When choosing the new 'overwrite' option when trying to save a blendfile
from a newer version of Blender, it would cause invalid (use-after-free)
memory access.

Issue caused by the main commit (a1d7ec7139) of the new blendfile
compatibility handling. No idea how it was not detected earlier.

Many thanks to @weizhen for spotting the issue and doing some initial
investigation on it.
---
 source/blender/windowmanager/intern/wm_files.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source/blender/windowmanager/intern/wm_files.c b/source/blender/windowmanager/intern/wm_files.c
index f6abb596458..887151e74fc 100644
--- a/source/blender/windowmanager/intern/wm_files.c
+++ b/source/blender/windowmanager/intern/wm_files.c
@@ -3602,11 +3602,15 @@ static void save_file_forwardcompat_cancel_button(uiBlock *block, wmGenericCallb
 static void save_file_forwardcompat_overwrite(bContext *C, void *arg_block, void *arg_data)
 {
   wmWindow *win = CTX_wm_window(C);
-  UI_popup_block_close(C, win, arg_block);
 
   /* Re-use operator properties as defined for the initial 'save' operator, which triggered this
    * 'forward compat' popup. */
   wmGenericCallback *callback = WM_generic_callback_steal(arg_data);
+
+  /* Needs to be done after stealing the callback data above, otherwise it would cause a
+   * use-after-free. */
+  UI_popup_block_close(C, win, arg_block);
+
   PointerRNA operator_propptr = {0};
   PointerRNA *operator_propptr_p = &operator_propptr;
   IDProperty *operator_idproperties = callback->user_data;
-- 
GitLab