From 9bef8741a9a9ef4be87a37405ee154e53ccdf3bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Foucault?= <foucault.clem@gmail.com>
Date: Tue, 6 May 2025 15:02:36 +0200
Subject: [PATCH] Fix: GPU: Shader Preprocess: Undefined behavior in
 variable_reference_mutation

This is because the `match` can be referenced by the
`report_error` callback. If the string is reallocated,
the callback could read freed memory.
---
 source/blender/gpu/glsl_preprocess/glsl_preprocess.hh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source/blender/gpu/glsl_preprocess/glsl_preprocess.hh b/source/blender/gpu/glsl_preprocess/glsl_preprocess.hh
index 7a0e9a9b300..9f812e2ba72 100644
--- a/source/blender/gpu/glsl_preprocess/glsl_preprocess.hh
+++ b/source/blender/gpu/glsl_preprocess/glsl_preprocess.hh
@@ -946,8 +946,6 @@ class Preprocessor {
       const string suffix = match.suffix().str();
 
       out_str += prefix;
-      /** IMPORTANT: `match` is invalid after the assignment. */
-      next_str = definition + suffix;
 
       /* Assert definition doesn't contain any side effect. */
       if (value.find("++") != string::npos || value.find("--") != string::npos) {
@@ -1017,6 +1015,9 @@ class Preprocessor {
       modified = regex_replace(
           modified, regex(R"(([^\.])\b)" + name + R"(\b([^(]))"), "$1" + value + "$2");
 
+      /** IMPORTANT: `match` is invalid after the assignment. */
+      next_str = definition + suffix;
+
       /* Replace whole modified scope in output string. */
       replace_all(next_str, original, modified);
     }