Fixed an access after free in ShaderLanguage::_reduce_expression.

Passing an element reference of a vector to a push_back call to that same vector can cause an access after free. This is because push_back will resize the vector, reallocating if necessary, leaving the reference referring to the freed memory. Removed an instance of this usage here.
author: Ibrahn Sahir <ibrahn.sahir@gmail.com> 2018-09-19 14:28:19 +0100
committer: Ibrahn Sahir <ibrahn.sahir@gmail.com> 2018-09-19 14:28:19 +0100
commit: bff864818f5b47caf0f789fc61ca8729fb443c83 (patch)
tree: de6724d2e8b29bf9329a5413d41c19aa332e1270 /servers/visual
parent: 9c2986abda73e279d575a6d7d8c4f4b3e13a1a39 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/servers/visual/shader_language.cpp b/servers/visual/shader_language.cpp
index 35236b23f1..4718eb14a5 100644
--- a/servers/visual/shader_language.cpp
+++ b/servers/visual/shader_language.cpp
@@ -3437,8 +3437,9 @@ ShaderLanguage::Node *ShaderLanguage::_reduce_expression(BlockNode *p_block, Sha
 					}
 				}
 			} else {
+				ConstantNode::Value value = values[0];
 				for (int i = 1; i < cardinality; i++) {
-					values.push_back(values[0]);
+					values.push_back(value);
 				}
 			}
 		} else if (values.size() != cardinality) {
author	Ibrahn Sahir <ibrahn.sahir@gmail.com>	2018-09-19 14:28:19 +0100
committer	Ibrahn Sahir <ibrahn.sahir@gmail.com>	2018-09-19 14:28:19 +0100
commit	bff864818f5b47caf0f789fc61ca8729fb443c83 (patch)
tree	de6724d2e8b29bf9329a5413d41c19aa332e1270 /servers/visual
parent	9c2986abda73e279d575a6d7d8c4f4b3e13a1a39 (diff)