From d514ab29521bb0d8576483c434e70d78fa3f8dc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Agust=C3=ADn=20Marsero?= <amarsero@gmail.com>
Date: Thu, 28 Nov 2024 16:55:18 +0100
Subject: [PATCH] Fixes use after free in redo of "Create Custom Bone2D(s) from
 Node(s)"

Using "queue_free" on the undo of the creation of the Bone2D meant that on the redo the Bone2D was already deleted.

Replaced it with "add_do_reference", so when the Action of the undo_redo is destroyed, also destroys the Bone2D.
---
 editor/plugins/canvas_item_editor_plugin.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/editor/plugins/canvas_item_editor_plugin.cpp b/editor/plugins/canvas_item_editor_plugin.cpp
index f73867575d82..c1103b3f445c 100644
--- a/editor/plugins/canvas_item_editor_plugin.cpp
+++ b/editor/plugins/canvas_item_editor_plugin.cpp
@@ -4805,11 +4805,12 @@ void CanvasItemEditor::_popup_callback(int p_op) {
 				undo_redo->add_do_method(new_bone, "add_child", n2d);
 				undo_redo->add_do_method(n2d, "set_transform", Transform2D());
 				undo_redo->add_do_method(this, "_set_owner_for_node_and_children", new_bone, editor_root);
+				undo_redo->add_do_reference(new_bone);
 
 				undo_redo->add_undo_method(new_bone, "remove_child", n2d);
 				undo_redo->add_undo_method(n2d_parent, "add_child", n2d);
+				undo_redo->add_undo_method(n2d_parent, "remove_child", new_bone);
 				undo_redo->add_undo_method(n2d, "set_transform", new_bone->get_transform());
-				undo_redo->add_undo_method(new_bone, "queue_free");
 				undo_redo->add_undo_method(this, "_set_owner_for_node_and_children", n2d, editor_root);
 			}
 			undo_redo->commit_action();