Commit: 8f530d6a47d8a0fa9e8d8f4bdb66510a4f18b664
Author: Bastien Montagne
Date: Thu May 12 17:19:22 2022 +0200
Branches: blender-v2.93-release
https://developer.blender.org/rB8f530d6a47d8a0fa9e8d8f4bdb66510a4f18b664
Fix (unreported) bad memory access in read/write code of MeshDeform modifier.
This abuse of one one size value to handle another allocated array of a
different size is bad in itself, but at least now read/write code of
this modifier should not risk invalid memory access anymore.
NOTE: invalid memory access would in practice only happen in case endian
switch would be performed at read time I think (those switches only check
for given length being non-zero, not for a NULL data pointer...).
===================================================================
M source/blender/modifiers/intern/MOD_meshdeform.c
===================================================================
diff --git a/source/blender/modifiers/intern/MOD_meshdeform.c
b/source/blender/modifiers/intern/MOD_meshdeform.c
index a94dd6da477..50754489a50 100644
--- a/source/blender/modifiers/intern/MOD_meshdeform.c
+++ b/source/blender/modifiers/intern/MOD_meshdeform.c
@@ -602,7 +602,14 @@ static void blendWrite(BlendWriter *writer, const
ModifierData *md)
int size = mmd->dyngridsize;
BLO_write_struct_array(writer, MDefInfluence, mmd->totinfluence,
mmd->bindinfluences);
- BLO_write_int32_array(writer, mmd->totvert + 1, mmd->bindoffsets);
+ /* NOTE: `bindoffset` is abusing `totvert + 1` as its size, this becomes an
incorrect value in
+ * case `totvert == 0`, since `bindoffset` is then NULL, not a size 1
allocated array. */
+ if (mmd->totvert > 0) {
+ BLO_write_int32_array(writer, mmd->totvert + 1, mmd->bindoffsets);
+ }
+ else {
+ BLI_assert(mmd->bindoffsets == NULL);
+ }
BLO_write_float3_array(writer, mmd->totcagevert, mmd->bindcagecos);
BLO_write_struct_array(writer, MDefCell, size * size * size, mmd->dyngrid);
BLO_write_struct_array(writer, MDefInfluence, mmd->totinfluence,
mmd->dyninfluences);
@@ -614,7 +621,11 @@ static void blendRead(BlendDataReader *reader,
ModifierData *md)
MeshDeformModifierData *mmd = (MeshDeformModifierData *)md;
BLO_read_data_address(reader, &mmd->bindinfluences);
- BLO_read_int32_array(reader, mmd->totvert + 1, &mmd->bindoffsets);
+ /* NOTE: `bindoffset` is abusing `totvert + 1` as its size, this becomes an
incorrect value in
+ * case `totvert == 0`, since `bindoffset` is then NULL, not a size 1
allocated array. */
+ if (mmd->totvert > 0) {
+ BLO_read_int32_array(reader, mmd->totvert + 1, &mmd->bindoffsets);
+ }
BLO_read_float3_array(reader, mmd->totcagevert, &mmd->bindcagecos);
BLO_read_data_address(reader, &mmd->dyngrid);
BLO_read_data_address(reader, &mmd->dyninfluences);
_______________________________________________
Bf-blender-cvs mailing list
Bf-blender-cvs@blender.org
List details, subscription details or unsubscribe:
https://lists.blender.org/mailman/listinfo/bf-blender-cvs
