From 3c62f5fe5cbf0b6a1210d73a42fc247818107df0 Mon Sep 17 00:00:00 2001 From: Danil Alexeev Date: Mon, 15 Apr 2024 13:23:52 +0300 Subject: [PATCH] Core: Fix `RefCounted` handling in `marshalls.cpp` --- core/io/marshalls.cpp | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/core/io/marshalls.cpp b/core/io/marshalls.cpp index 4487b8e4725..c9493be4efa 100644 --- a/core/io/marshalls.cpp +++ b/core/io/marshalls.cpp @@ -656,10 +656,19 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int ERR_FAIL_COND_V(!ClassDB::can_instantiate(str), ERR_INVALID_DATA); Object *obj = ClassDB::instantiate(str); - ERR_FAIL_NULL_V(obj, ERR_UNAVAILABLE); - ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); + // Avoid premature free `RefCounted`. This must be done before properties are initialized, + // since script functions (setters, implicit initializer) may be called. See GH-68666. + Variant variant; + if (Object::cast_to(obj)) { + Ref ref = Ref(Object::cast_to(obj)); + variant = ref; + } else { + variant = obj; + } + + ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); int32_t count = decode_uint32(buf); buf += 4; len -= 4; @@ -699,12 +708,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int } } - if (Object::cast_to(obj)) { - Ref ref = Ref(Object::cast_to(obj)); - r_variant = ref; - } else { - r_variant = obj; - } + r_variant = variant; } }