From 12decaf13c2b10581fbc0577a6444c64c8343a9e Mon Sep 17 00:00:00 2001
From: Hans Goudey <hans@blender.org>
Date: Thu, 8 May 2025 11:46:17 -0400
Subject: [PATCH] Fix: Use after free after recent image pool lock cleanup

Caused by 9a5a5c35c7c26ddece6379b0f0ea6bffddbd3890.
We need to release the lock before freeing it.
---
 source/blender/blenkernel/intern/image.cc | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/source/blender/blenkernel/intern/image.cc b/source/blender/blenkernel/intern/image.cc
index 869b5c48cb8..c895ad4f24c 100644
--- a/source/blender/blenkernel/intern/image.cc
+++ b/source/blender/blenkernel/intern/image.cc
@@ -4986,19 +4986,20 @@ ImagePool *BKE_image_pool_new()
 void BKE_image_pool_free(ImagePool *pool)
 {
   /* Use single lock to dereference all the image buffers. */
-  std::scoped_lock lock(pool->mutex);
-  for (ImagePoolItem *item = static_cast<ImagePoolItem *>(pool->image_buffers.first);
-       item != nullptr;
-       item = item->next)
   {
-    if (item->ibuf != nullptr) {
-      std::scoped_lock lock(item->image->runtime->cache_mutex);
-      IMB_freeImBuf(item->ibuf);
+    std::scoped_lock lock(pool->mutex);
+    for (ImagePoolItem *item = static_cast<ImagePoolItem *>(pool->image_buffers.first);
+         item != nullptr;
+         item = item->next)
+    {
+      if (item->ibuf != nullptr) {
+        std::scoped_lock lock(item->image->runtime->cache_mutex);
+        IMB_freeImBuf(item->ibuf);
+      }
     }
+
+    BLI_mempool_destroy(pool->memory_pool);
   }
-
-  BLI_mempool_destroy(pool->memory_pool);
-
   MEM_delete(pool);
 }