diff options
| author | Bastien Montagne <bastien@blender.org> | 2022-05-12 18:19:22 +0300 |
|---|---|---|
| committer | Philipp Oeser <info@graphics-engineer.com> | 2022-06-16 10:30:12 +0300 |
| commit | 8f530d6a47d8a0fa9e8d8f4bdb66510a4f18b664 (patch) | |
| tree | 24fb0c015a38d194517d73e0ff280ebca605ffb0 | |
| parent | 354c22b28c319726c8a89fd198d141072b2f8c21 (diff) | |
Fix (unreported) bad memory access in read/write code of MeshDeform modifier.
This abuse of one one size value to handle another allocated array of a
different size is bad in itself, but at least now read/write code of
this modifier should not risk invalid memory access anymore.
NOTE: invalid memory access would in practice only happen in case endian
switch would be performed at read time I think (those switches only check
for given length being non-zero, not for a NULL data pointer...).
| -rw-r--r-- | source/blender/modifiers/intern/MOD_meshdeform.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/source/blender/modifiers/intern/MOD_meshdeform.c b/source/blender/modifiers/intern/MOD_meshdeform.c index a94dd6da477..50754489a50 100644 --- a/source/blender/modifiers/intern/MOD_meshdeform.c +++ b/source/blender/modifiers/intern/MOD_meshdeform.c @@ -602,7 +602,14 @@ static void blendWrite(BlendWriter *writer, const ModifierData *md) int size = mmd->dyngridsize; BLO_write_struct_array(writer, MDefInfluence, mmd->totinfluence, mmd->bindinfluences); - BLO_write_int32_array(writer, mmd->totvert + 1, mmd->bindoffsets); + /* NOTE: `bindoffset` is abusing `totvert + 1` as its size, this becomes an incorrect value in + * case `totvert == 0`, since `bindoffset` is then NULL, not a size 1 allocated array. */ + if (mmd->totvert > 0) { + BLO_write_int32_array(writer, mmd->totvert + 1, mmd->bindoffsets); + } + else { + BLI_assert(mmd->bindoffsets == NULL); + } BLO_write_float3_array(writer, mmd->totcagevert, mmd->bindcagecos); BLO_write_struct_array(writer, MDefCell, size * size * size, mmd->dyngrid); BLO_write_struct_array(writer, MDefInfluence, mmd->totinfluence, mmd->dyninfluences); @@ -614,7 +621,11 @@ static void blendRead(BlendDataReader *reader, ModifierData *md) MeshDeformModifierData *mmd = (MeshDeformModifierData *)md; BLO_read_data_address(reader, &mmd->bindinfluences); - BLO_read_int32_array(reader, mmd->totvert + 1, &mmd->bindoffsets); + /* NOTE: `bindoffset` is abusing `totvert + 1` as its size, this becomes an incorrect value in + * case `totvert == 0`, since `bindoffset` is then NULL, not a size 1 allocated array. */ + if (mmd->totvert > 0) { + BLO_read_int32_array(reader, mmd->totvert + 1, &mmd->bindoffsets); + } BLO_read_float3_array(reader, mmd->totcagevert, &mmd->bindcagecos); BLO_read_data_address(reader, &mmd->dyngrid); BLO_read_data_address(reader, &mmd->dyninfluences); |