diff options
author | Ibrahn Sahir <ibrahn.sahir@gmail.com> | 2018-09-19 14:28:19 +0100 |
---|---|---|
committer | Ibrahn Sahir <ibrahn.sahir@gmail.com> | 2018-09-19 14:28:19 +0100 |
commit | bff864818f5b47caf0f789fc61ca8729fb443c83 (patch) | |
tree | de6724d2e8b29bf9329a5413d41c19aa332e1270 /servers/visual | |
parent | 9c2986abda73e279d575a6d7d8c4f4b3e13a1a39 (diff) |
Fixed an access after free in ShaderLanguage::_reduce_expression.
Passing an element reference of a vector to a push_back call to
that same vector can cause an access after free. This is because push_back
will resize the vector, reallocating if necessary, leaving the reference
referring to the freed memory.
Removed an instance of this usage here.
Diffstat (limited to 'servers/visual')
-rw-r--r-- | servers/visual/shader_language.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/servers/visual/shader_language.cpp b/servers/visual/shader_language.cpp index 35236b23f1..4718eb14a5 100644 --- a/servers/visual/shader_language.cpp +++ b/servers/visual/shader_language.cpp @@ -3437,8 +3437,9 @@ ShaderLanguage::Node *ShaderLanguage::_reduce_expression(BlockNode *p_block, Sha } } } else { + ConstantNode::Value value = values[0]; for (int i = 1; i < cardinality; i++) { - values.push_back(values[0]); + values.push_back(value); } } } else if (values.size() != cardinality) { |