From ae9665bc449f757b4a885e4958440e38dfae6133 Mon Sep 17 00:00:00 2001 From: Bastien Montagne <bastien@blender.org> Date: Tue, 22 Aug 2023 17:26:37 +0200 Subject: [PATCH] Fix (unreported) invalid memory access in new 'newer blendfile version' code. When choosing the new 'overwrite' option when trying to save a blendfile from a newer version of Blender, it would cause invalid (use-after-free) memory access. Issue caused by the main commit (a1d7ec7139) of the new blendfile compatibility handling. No idea how it was not detected earlier. Many thanks to @weizhen for spotting the issue and doing some initial investigation on it. --- source/blender/windowmanager/intern/wm_files.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source/blender/windowmanager/intern/wm_files.c b/source/blender/windowmanager/intern/wm_files.c index f6abb596458..887151e74fc 100644 --- a/source/blender/windowmanager/intern/wm_files.c +++ b/source/blender/windowmanager/intern/wm_files.c @@ -3602,11 +3602,15 @@ static void save_file_forwardcompat_cancel_button(uiBlock *block, wmGenericCallb static void save_file_forwardcompat_overwrite(bContext *C, void *arg_block, void *arg_data) { wmWindow *win = CTX_wm_window(C); - UI_popup_block_close(C, win, arg_block); /* Re-use operator properties as defined for the initial 'save' operator, which triggered this * 'forward compat' popup. */ wmGenericCallback *callback = WM_generic_callback_steal(arg_data); + + /* Needs to be done after stealing the callback data above, otherwise it would cause a + * use-after-free. */ + UI_popup_block_close(C, win, arg_block); + PointerRNA operator_propptr = {0}; PointerRNA *operator_propptr_p = &operator_propptr; IDProperty *operator_idproperties = callback->user_data; -- GitLab