From b6c07d69e2f022f024c6ec2ff92925dbc6bbd79e Mon Sep 17 00:00:00 2001
From: Germano Cavalcante <mano-wii>
Date: Mon, 8 Mar 2021 10:29:57 -0300
Subject: [PATCH] Fix T86106: bpy.types.SpaceView3D.draw_handler_remove(...)
 causes Blender to crash

The handle of a drawing callback can be removed within the drawing function itself.

This causes `var = (type)(((Link *)(var))->next` to read an invalid memory value in C.
---
 source/blender/editors/space_api/spacetypes.c | 2 +-
 source/blender/windowmanager/intern/wm_draw.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/source/blender/editors/space_api/spacetypes.c b/source/blender/editors/space_api/spacetypes.c
index 1bd8d13b25b..ff05fb3bad6 100644
--- a/source/blender/editors/space_api/spacetypes.c
+++ b/source/blender/editors/space_api/spacetypes.c
@@ -262,7 +262,7 @@ void ED_region_draw_cb_exit(ARegionType *art, void *handle)
 
 void ED_region_draw_cb_draw(const bContext *C, ARegion *region, int type)
 {
-  LISTBASE_FOREACH (RegionDrawCB *, rdc, &region->type->drawcalls) {
+  LISTBASE_FOREACH_MUTABLE (RegionDrawCB *, rdc, &region->type->drawcalls) {
     if (rdc->type == type) {
       rdc->draw(C, region, rdc->customdata);
 
diff --git a/source/blender/windowmanager/intern/wm_draw.c b/source/blender/windowmanager/intern/wm_draw.c
index 071bce822a5..e0c4ab8eaf3 100644
--- a/source/blender/windowmanager/intern/wm_draw.c
+++ b/source/blender/windowmanager/intern/wm_draw.c
@@ -98,7 +98,7 @@ static void wm_paintcursor_draw(bContext *C, ScrArea *area, ARegion *region)
     return;
   }
 
-  LISTBASE_FOREACH (wmPaintCursor *, pc, &wm->paintcursors) {
+  LISTBASE_FOREACH_MUTABLE (wmPaintCursor *, pc, &wm->paintcursors) {
     if ((pc->space_type != SPACE_TYPE_ANY) && (area->spacetype != pc->space_type)) {
       continue;
     }