diff options
author | Kévin Dietrich <kevin.dietrich@mailoo.org> | 2022-01-06 13:47:40 +0300 |
---|---|---|
committer | Kévin Dietrich <kevin.dietrich@mailoo.org> | 2022-01-06 13:48:44 +0300 |
commit | 88e15ff1e6864959782cc8af1f874c60c51764f4 (patch) | |
tree | 9268525da25cd505169383f6f47657644c64fb07 /source/blender/io/alembic/intern | |
parent | ed3fecae8e5f6f542fcfe0d58e7275283c982b3a (diff) |
Fix T94674: crash reading ORCOs from an Alembic animation
The crash is caused as the data is only for the first frame, but the mesh
changes topology, so reading the data in subsequent frames causes a
buffer overflow. To fix this, we check that the data size matches the
mesh's vertex count.
Diffstat (limited to 'source/blender/io/alembic/intern')
-rw-r--r-- | source/blender/io/alembic/intern/abc_customdata.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source/blender/io/alembic/intern/abc_customdata.cc b/source/blender/io/alembic/intern/abc_customdata.cc index 830ec731e20..4e2dcc9b8cd 100644 --- a/source/blender/io/alembic/intern/abc_customdata.cc +++ b/source/blender/io/alembic/intern/abc_customdata.cc @@ -545,6 +545,12 @@ void read_generated_coordinates(const ICompoundProperty &prop, const size_t totvert = abc_ocro.get()->size(); Mesh *mesh = config.mesh; + if (totvert != mesh->totvert) { + /* Either the data is somehow corrupted, or we have a dynamic simulation where only the ORCOs + * for the first frame were exported. */ + return; + } + void *cd_data; if (CustomData_has_layer(&mesh->vdata, CD_ORCO)) { cd_data = CustomData_get_layer(&mesh->vdata, CD_ORCO); |