Fix T87232: Crash when evaluating object with unsupported modifier

Fix `nullptr` redeference when setting 'orig_data' pointers on CoW copies,
by stopping the loop also when `element_cow == nullptr`. This avoids a
crash of Blender when the original list of pointers is longer than the
CoW list of pointers.

I've also added a `BLI_assert()` that checks for equal lengths of the
two `ListBase`s, so that problems like these aren't hidden away completely.

The root cause of the crash was actually a modifier that was assigned to
an object of the wrong type (an Armature object doesn't support modifiers).
This caused the list of modifiers on the CoW copy to be shorter than the
list of modifiers on the original Object. It's still a mystery how that
object got that modifier in the first place.

1 files changed, 7 insertions, 1 deletions

diff --git a/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc b/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc
index 2544bb1642c..e1959c8bf5e 100644
--- a/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc
+++ b/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc
@@ -653,11 +653,17 @@ void update_list_orig_pointers(const ListBase *listbase_orig,
 {
   T *element_orig = reinterpret_cast<T *>(listbase_orig->first);
   T *element_cow = reinterpret_cast<T *>(listbase->first);
-  while (element_orig != nullptr) {
+
+  /* Both lists should have the same number of elements, so the check on
+   * `element_cow` is just to prevent a crash if this is not the case. */
+  while (element_orig != nullptr && element_cow != nullptr) {
     element_cow->*orig_field = element_orig;
     element_cow = element_cow->next;
     element_orig = element_orig->next;
   }
+
+  BLI_assert((element_orig == nullptr && element_cow == nullptr) ||
+             !"list of pointers of different sizes, unable to reliably set orig pointer");
 }
 
 void update_particle_system_orig_pointers(const Object *object_orig, Object *object_cow)