From 071799d4fc44f422abacbdad09bb45fb95de89f2 Mon Sep 17 00:00:00 2001 From: Falk David Date: Wed, 23 Jun 2021 14:56:36 +1000 Subject: [PATCH] Fix T89265: Crash when tabbing through num inputs Fix by reverting the part of ec30cf0b742f5181c4de91b474ca01d6a809c593 that assigned `but->editval` in `ui_numedit_begin_set_values`. Causing access freed memory when using tab to switch to a numeric input and then leaving the textbox by clicking outside. This was because `ui_numedit_begin_set_values` shouldn't need to set `but->editval` and overwrite the pointer. This would set a pointer that had previously been freed, causing a `NULL` check to fail later on. Ref D11679 --- source/blender/editors/interface/interface_handlers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/blender/editors/interface/interface_handlers.c b/source/blender/editors/interface/interface_handlers.c index a5b7f3820fc..1c55ce0f348 100644 --- a/source/blender/editors/interface/interface_handlers.c +++ b/source/blender/editors/interface/interface_handlers.c @@ -3906,7 +3906,6 @@ static void ui_numedit_begin_set_values(uiBut *but, uiHandleButtonData *data) data->startvalue = ui_but_value_get(but); data->origvalue = data->startvalue; data->value = data->origvalue; - but->editval = &data->value; } static void ui_numedit_begin(uiBut *but, uiHandleButtonData *data) @@ -3935,6 +3934,7 @@ static void ui_numedit_begin(uiBut *but, uiHandleButtonData *data) } else { ui_numedit_begin_set_values(but, data); + but->editval = &data->value; float softmin = but->softmin; float softmax = but->softmax;