From b4bfb4d879856c2a5d39dd407487c3313b7d5479 Mon Sep 17 00:00:00 2001
From: Robin Dunn <robin@alldunn.com>
Date: Wed, 21 Sep 2016 22:39:54 -0700
Subject: [PATCH] Switch to the released sip 4.18.1

---
 build.py            | 10 +++++-----
 sip/siplib/objmap.c | 16 ++++++++++++++--
 sip/siplib/sip.h    |  2 +-
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/build.py b/build.py
index ff51f8e7..f62a9c8c 100755
--- a/build.py
+++ b/build.py
@@ -68,12 +68,12 @@ wxICON = 'docs/sphinx/_static/images/sphinxdocs/mondrian.png'
 
 # Some tools will be downloaded for the builds. These are the versions and
 # MD5s of the tool binaries currently in use.
-sipCurrentVersion = '4.18.1.dev1606100655'
+sipCurrentVersion = '4.18.1'
 sipMD5 = {
-    'darwin'   : '48f7370706c63036fac66da6439559e8',
-    'win32'    : '138b2daa19a357ac9d92edd9a8e149b9',
-    'linux32'  : '23f00942b1eb5d69a7bdac517c4e2995',
-    'linux64'  : 'fce6937c3e67c2d099a8610890d81f87',
+    'darwin'   : 'd2e022a1dbdca3a95116ad160b3622a0',
+    'win32'    : 'd4a46b908d362d19f3fab979bf23eab8',
+    'linux32'  : '8f6e43ced87c9ee86afb707e4cfa5fed',
+    'linux64'  : 'e77e4b8810217a981a67c33bcba4d729',
 }
 
 wafCurrentVersion = '1.7.15-p1'
diff --git a/sip/siplib/objmap.c b/sip/siplib/objmap.c
index 68fcb262..56d90f59 100644
--- a/sip/siplib/objmap.c
+++ b/sip/siplib/objmap.c
@@ -270,9 +270,21 @@ static void add_object(sipObjectMap *om, void *addr, sipSimpleWrapper *val)
                 }
                 else
                 {
-                    /* We are removing it from the map here. */
-                    sipSetNotInMap(sw);
+                    /*
+                     * We are removing it from the map here.  However, note
+                     * that we first have to call the destructor before marking
+                     * it as not being in the map, as the destructor itself
+                     * might end up trying to remove the wrapper and its
+                     * aliases from the map.  In that case, if the wrapper is
+                     * already marked as not in the map, the removal will just
+                     * return early, leaving any potential aliases as stale
+                     * entries in the map.  If we later try to wrap a different
+                     * object at the same address, we end up retrieving the
+                     * stale alias entry from the object map, triggering a
+                     * use-after-free when accessing its C++ object.
+                     */
                     sip_api_common_dtor(sw);
+                    sipSetNotInMap(sw);
                 }
 
                 sw = next;
diff --git a/sip/siplib/sip.h b/sip/siplib/sip.h
index d0f7d227..674d4a4c 100644
--- a/sip/siplib/sip.h
+++ b/sip/siplib/sip.h
@@ -55,7 +55,7 @@ extern "C" {
  * Define the SIP version number.
  */
 #define SIP_VERSION         0x041201
-#define SIP_VERSION_STR     "4.18.1.dev1606100655"
+#define SIP_VERSION_STR     "4.18.1"
 
 
 /*