From 6cd977b903f46ee0f33c4fb2fb1f00e084cb56e9 Mon Sep 17 00:00:00 2001
From: Hans Goudey <h.goudey@me.com>
Date: Sat, 22 Jan 2022 13:06:15 -0600
Subject: Fix T94760: Crash building BMesh when opening file

A large polygon in the file from the report caused `alloca`
to exceed the maximum stack size, causing a crash.  Instead
of using `alloca`, use `blender::Array` with an inline buffer.

Based on a patch by Germano Cavalcante (@mano-wii).

Differential Revision: https://developer.blender.org/D13898
---
 source/blender/bmesh/intern/bmesh_mesh_convert.cc | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/source/blender/bmesh/intern/bmesh_mesh_convert.cc b/source/blender/bmesh/intern/bmesh_mesh_convert.cc
index b404c412160..9d758386336 100644
--- a/source/blender/bmesh/intern/bmesh_mesh_convert.cc
+++ b/source/blender/bmesh/intern/bmesh_mesh_convert.cc
@@ -79,6 +79,7 @@
 #include "MEM_guardedalloc.h"
 
 #include "BLI_alloca.h"
+#include "BLI_array.hh"
 #include "BLI_listbase.h"
 #include "BLI_math_vector.h"
 
@@ -95,6 +96,8 @@
 #include "bmesh.h"
 #include "intern/bmesh_private.h" /* For element checking. */
 
+using blender::Array;
+
 void BM_mesh_cd_flag_ensure(BMesh *bm, Mesh *mesh, const char cd_flag)
 {
   const char cd_flag_all = BM_mesh_cd_flag_from_bmesh(bm) | cd_flag;
@@ -178,8 +181,8 @@ char BM_mesh_cd_flag_from_bmesh(BMesh *bm)
 static BMFace *bm_face_create_from_mpoly(
     MPoly *mp, MLoop *ml, BMesh *bm, BMVert **vtable, BMEdge **etable)
 {
-  BMVert **verts = (BMVert **)BLI_array_alloca(verts, mp->totloop);
-  BMEdge **edges = (BMEdge **)BLI_array_alloca(edges, mp->totloop);
+  Array<BMVert *, BM_DEFAULT_NGON_STACK_SIZE> verts(mp->totloop);
+  Array<BMEdge *, BM_DEFAULT_NGON_STACK_SIZE> edges(mp->totloop);
   int j;
 
   for (j = 0; j < mp->totloop; j++, ml++) {
@@ -187,7 +190,7 @@ static BMFace *bm_face_create_from_mpoly(
     edges[j] = etable[ml->e];
   }
 
-  return BM_face_create(bm, verts, edges, mp->totloop, nullptr, BM_CREATE_SKIP_CD);
+  return BM_face_create(bm, verts.data(), edges.data(), mp->totloop, nullptr, BM_CREATE_SKIP_CD);
 }
 
 void BM_mesh_bm_from_me(BMesh *bm, const Mesh *me, const struct BMeshFromMeshParams *params)
-- 
cgit v1.2.3