From 2dce6dccbb64061bc5df56b417da45047aa1e8dc Mon Sep 17 00:00:00 2001
From: Antony Riakiotakis <kalast@gmail.com>
Date: Fri, 24 Jul 2015 12:24:05 +0200
Subject: Fix out of bounds memory access when copying loose vertices in cddm

Caused by own fix for too much allocated memory not taking all code
into account.
---
 source/blender/blenkernel/intern/cdderivedmesh.c | 16 ++++++++--------
 source/blender/blenkernel/intern/subsurf_ccg.c   |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/source/blender/blenkernel/intern/cdderivedmesh.c b/source/blender/blenkernel/intern/cdderivedmesh.c
index 9a41c7397ae..ee73f5d2210 100644
--- a/source/blender/blenkernel/intern/cdderivedmesh.c
+++ b/source/blender/blenkernel/intern/cdderivedmesh.c
@@ -639,7 +639,7 @@ static void cdDM_drawMappedFaces(
 	int i, j;
 	int start_element = 0, tot_element, tot_drawn;
 	int totpoly;
-	int tottri;
+	int tot_tri_elem;
 	int mat_index;
 	GPUBuffer *findex_buffer = NULL;
 
@@ -705,14 +705,14 @@ static void cdDM_drawMappedFaces(
 
 	glShadeModel(GL_SMOOTH);
 
-	tottri = dm->drawObject->tot_triangle_point;
+	tot_tri_elem = dm->drawObject->tot_triangle_point;
 
-	if (tottri == 0) {
+	if (tot_tri_elem == 0) {
 		/* avoid buffer problems in following code */
 	}
 	else if (setDrawOptions == NULL) {
 		/* just draw the entire face array */
-		GPU_buffer_draw_elements(dm->drawObject->triangles, GL_TRIANGLES, 0, tottri);
+		GPU_buffer_draw_elements(dm->drawObject->triangles, GL_TRIANGLES, 0, tot_tri_elem);
 	}
 	else {
 		for (mat_index = 0; mat_index < dm->drawObject->totmaterial; mat_index++) {
@@ -1281,9 +1281,9 @@ static void cdDM_buffer_copy_vertex(
 	}
 
 	/* copy loose points */
-	j = dm->drawObject->tot_triangle_point * 3;
+	j = dm->drawObject->tot_loop_verts;
 	for (i = 0; i < dm->drawObject->totvert; i++) {
-		if (dm->drawObject->vert_points[i].point_index >= dm->drawObject->tot_triangle_point) {
+		if (dm->drawObject->vert_points[i].point_index >= dm->drawObject->tot_loop_verts) {
 			copy_v3_v3(&varray[j], mvert[i].co);
 			j += 3;
 		}
@@ -1607,7 +1607,7 @@ static void cdDM_drawobject_init_vert_points(
 	gdo->vert_points = MEM_mallocN(sizeof(GPUVertPointLink) * gdo->totvert,
 	                               "GPUDrawObject.vert_points");
 #ifdef USE_GPU_POINT_LINK
-	gdo->vert_points_mem = MEM_callocN(sizeof(GPUVertPointLink) * gdo->tot_triangle_point,
+	gdo->vert_points_mem = MEM_callocN(sizeof(GPUVertPointLink) * gdo->totvert,
 	                                   "GPUDrawObject.vert_points_mem");
 	gdo->vert_points_usage = 0;
 #endif
@@ -1644,7 +1644,7 @@ static void cdDM_drawobject_init_vert_points(
 	/* map any unused vertices to loose points */
 	for (i = 0; i < gdo->totvert; i++) {
 		if (gdo->vert_points[i].point_index == -1) {
-			gdo->vert_points[i].point_index = gdo->tot_triangle_point + gdo->tot_loose_point;
+			gdo->vert_points[i].point_index = gdo->tot_loop_verts + gdo->tot_loose_point;
 			gdo->tot_loose_point++;
 		}
 	}
diff --git a/source/blender/blenkernel/intern/subsurf_ccg.c b/source/blender/blenkernel/intern/subsurf_ccg.c
index 0fb5584d49d..33bc593d016 100644
--- a/source/blender/blenkernel/intern/subsurf_ccg.c
+++ b/source/blender/blenkernel/intern/subsurf_ccg.c
@@ -2508,7 +2508,7 @@ static GPUDrawObject *ccgDM_GPUObjectNew(DerivedMesh *dm)
 	
 	/* create the GPUDrawObject */
 	gdo = MEM_callocN(sizeof(GPUDrawObject), "GPUDrawObject");
-	gdo->totvert = ccgSubSurf_getNumFinalFaces(ss) * 4; /* doesn't really matter since we don't use indices */
+	gdo->totvert = 0; /* used to count indices, doesn't really matter for ccgsubsurf */
 	gdo->totedge = (totedge * gridFaces * 2 + tot_internal_edges);
 
 	/* count the number of materials used by this DerivedMesh */
-- 
cgit v1.2.3