From 97edca3bc9441eb5c99ed56e7d67b083931215b0 Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Tue, 8 Mar 2011 03:14:59 +0000
Subject: Old IDProperty bug, (from original commit r8916), found crash while
 changing operator string size.

Shrinking arrays never worked right.
rather then "newlen * sizeof(...)", it would memcpy "newlen * oldlen * sizeof(...)" which always goes over the array bounds.
---
 source/blender/blenkernel/intern/idprop.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'source/blender/blenkernel/intern/idprop.c')

diff --git a/source/blender/blenkernel/intern/idprop.c b/source/blender/blenkernel/intern/idprop.c
index 40d12e06320..67be3e71101 100644
--- a/source/blender/blenkernel/intern/idprop.c
+++ b/source/blender/blenkernel/intern/idprop.c
@@ -240,7 +240,7 @@ void IDP_ResizeArray(IDProperty *prop, int newlen)
 	else {
 		/* newlen is smaller*/
 		idp_resize_group_array(prop, newlen, newarr);
-		memcpy(newarr, prop->data.pointer, newlen*prop->len*idp_size_table[(int)prop->subtype]);
+		memcpy(newarr, prop->data.pointer, newlen*idp_size_table[(int)prop->subtype]);
 	}
 
 	MEM_freeN(prop->data.pointer);
-- 
cgit v1.2.3