From d8681c99c4290d38f38e67a2e1b9f7119221a569 Mon Sep 17 00:00:00 2001
From: Alexander Gavrilov <angavrilov@gmail.com>
Date: Sat, 10 Sep 2016 21:15:52 +0300
Subject: Fix OpenSubdiv related buffer overrun with multiple FVar channels.

The existing code uses the input value count of the first channel
for all of them. If the first channel is the largest, it leads to
a crash-causing buffer overrun in memcpy below. Likely this was
left since the time when only one channel was supported.

As a crash fix, probably should go into 2.78
---
 intern/opensubdiv/opensubdiv_capi.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'intern')

diff --git a/intern/opensubdiv/opensubdiv_capi.cc b/intern/opensubdiv/opensubdiv_capi.cc
index ab904953c70..52ce98fe74b 100644
--- a/intern/opensubdiv/opensubdiv_capi.cc
+++ b/intern/opensubdiv/opensubdiv_capi.cc
@@ -165,7 +165,7 @@ static void interpolate_fvar_data(OpenSubdiv::Far::TopologyRefiner& refiner,
 	const int max_level = refiner.GetMaxLevel();
 	size_t fvar_data_offset = 0, values_offset = 0;
 	for (int channel = 0; channel < refiner.GetNumFVarChannels(); ++channel) {
-		const int num_values = refiner.GetLevel(0).GetNumFVarValues(0) * 2,
+		const int num_values = refiner.GetLevel(0).GetNumFVarValues(channel) * 2,
 		          num_values_max = refiner.GetLevel(max_level).GetNumFVarValues(channel),
 		          num_values_total = refiner.GetNumFVarValuesTotal(channel);
 		if (num_values_total <= 0) {
-- 
cgit v1.2.3