From ea32a0380148b3261679eded2149ebac7e3a15ef Mon Sep 17 00:00:00 2001
From: Sergey Sharybin <sergey.vfx@gmail.com>
Date: Mon, 11 Jul 2016 17:58:42 +0200
Subject: Fix T48824: Crash when having too many ray-to-volume intersections

Code might have writing past the array boundaries.
---
 intern/cycles/kernel/bvh/qbvh_volume_all.h | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'intern/cycles/kernel/bvh/qbvh_volume_all.h')

diff --git a/intern/cycles/kernel/bvh/qbvh_volume_all.h b/intern/cycles/kernel/bvh/qbvh_volume_all.h
index 4d3028b37bf..a877e5bb341 100644
--- a/intern/cycles/kernel/bvh/qbvh_volume_all.h
+++ b/intern/cycles/kernel/bvh/qbvh_volume_all.h
@@ -268,13 +268,11 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
 								/* Intersect ray against primitive. */
 								hit = triangle_intersect(kg, &isect_precalc, isect_array, P, visibility, object, prim_addr);
 								if(hit) {
-									/* Move on to next entry in intersections array. */
-									isect_array++;
+									/* Update number of hits now, so we do proper check on max bounces. */
 									num_hits++;
 #if BVH_FEATURE(BVH_INSTANCING)
 									num_hits_in_instance++;
 #endif
-									isect_array->t = isect_t;
 									if(num_hits == max_hits) {
 #if BVH_FEATURE(BVH_INSTANCING)
 #  if BVH_FEATURE(BVH_MOTION)
@@ -289,6 +287,9 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
 #endif  /* BVH_FEATURE(BVH_INSTANCING) */
 										return num_hits;
 									}
+									/* Move on to next entry in intersections array */
+									isect_array++;
+									isect_array->t = isect_t;
 								}
 							}
 							break;
@@ -306,13 +307,11 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
 								/* Intersect ray against primitive. */
 								hit = motion_triangle_intersect(kg, isect_array, P, dir, ray->time, visibility, object, prim_addr);
 								if(hit) {
-									/* Move on to next entry in intersections array. */
-									isect_array++;
+									/* Update number of hits now, so we do proper check on max bounces. */
 									num_hits++;
 #  if BVH_FEATURE(BVH_INSTANCING)
 									num_hits_in_instance++;
 #  endif
-									isect_array->t = isect_t;
 									if(num_hits == max_hits) {
 #  if BVH_FEATURE(BVH_INSTANCING)
 #    if BVH_FEATURE(BVH_MOTION)
@@ -327,6 +326,9 @@ ccl_device uint BVH_FUNCTION_FULL_NAME(QBVH)(KernelGlobals *kg,
 #  endif  /* BVH_FEATURE(BVH_INSTANCING) */
 										return num_hits;
 									}
+									/* Move on to next entry in intersections array */
+									isect_array++;
+									isect_array->t = isect_t;
 								}
 							}
 							break;
-- 
cgit v1.2.3