From bff864818f5b47caf0f789fc61ca8729fb443c83 Mon Sep 17 00:00:00 2001
From: Ibrahn Sahir <ibrahn.sahir@gmail.com>
Date: Wed, 19 Sep 2018 14:28:19 +0100
Subject: Fixed an access after free in ShaderLanguage::_reduce_expression.

Passing an element reference of a vector to a push_back call to
that same vector can cause an access after free. This is because push_back
will resize the vector, reallocating if necessary, leaving the reference
referring to the freed memory.
Removed an instance of this usage here.
---
 servers/visual/shader_language.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/servers/visual/shader_language.cpp b/servers/visual/shader_language.cpp
index 35236b23f1..4718eb14a5 100644
--- a/servers/visual/shader_language.cpp
+++ b/servers/visual/shader_language.cpp
@@ -3437,8 +3437,9 @@ ShaderLanguage::Node *ShaderLanguage::_reduce_expression(BlockNode *p_block, Sha
 					}
 				}
 			} else {
+				ConstantNode::Value value = values[0];
 				for (int i = 1; i < cardinality; i++) {
-					values.push_back(values[0]);
+					values.push_back(value);
 				}
 			}
 		} else if (values.size() != cardinality) {
-- 
cgit v1.2.3