From ebb49ddd834cba2ea59f375e4866890ece57eae5 Mon Sep 17 00:00:00 2001 From: Falk David Date: Wed, 30 Mar 2022 11:41:27 +0200 Subject: [PATCH] GPencil: Fix double-free issue in update cache When a `GPencilUpdateCacheNode` is created, it always allocates the `children` pointer. This should not be freed until the whole cache is deleted. The `cache_node_update` would free the `children` pointer in a specific case, causing a double-free later when the cache was removed. --- source/blender/blenkernel/intern/gpencil_update_cache.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/source/blender/blenkernel/intern/gpencil_update_cache.c b/source/blender/blenkernel/intern/gpencil_update_cache.c index bbe576eb847..9113f2e2ab9 100644 --- a/source/blender/blenkernel/intern/gpencil_update_cache.c +++ b/source/blender/blenkernel/intern/gpencil_update_cache.c @@ -51,10 +51,8 @@ static void cache_node_free(void *node); static void update_cache_free(GPencilUpdateCache *cache) { - if (cache->children != NULL) { - BLI_dlrbTree_free(cache->children, cache_node_free); - MEM_freeN(cache->children); - } + BLI_dlrbTree_free(cache->children, cache_node_free); + MEM_SAFE_FREE(cache->children); MEM_freeN(cache); } @@ -83,9 +81,8 @@ static void cache_node_update(void *node, void *data) /* In case the new cache does a full update, remove its children since they will be all * updated by this cache. */ - if (new_update_cache->flag == GP_UPDATE_NODE_FULL_COPY && update_cache->children != NULL) { + if (new_update_cache->flag == GP_UPDATE_NODE_FULL_COPY) { BLI_dlrbTree_free(update_cache->children, cache_node_free); - MEM_freeN(update_cache->children); } update_cache_free(new_update_cache);