From 9b9f84b317feff9454f124330bd3aa774493c003 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= Date: Mon, 25 May 2020 09:43:01 +0200 Subject: Fix crash when converting BMesh to Mesh with shape keys The `BM_mesh_bm_to_me()` function copies shape keys from the BMesh to the Mesh. However, it tries to copy the same number of shape keys as are defined on the target mesh. Since the target mesh does not necessarily have the same number of shape keys as the BMesh, this would crash if the target Mesh has more. Found while performing some tests for {D7785}. Differential Revision: https://developer.blender.org/D7818 Reviewed by: brecht --- source/blender/bmesh/intern/bmesh_mesh_conv.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source/blender/bmesh') diff --git a/source/blender/bmesh/intern/bmesh_mesh_conv.c b/source/blender/bmesh/intern/bmesh_mesh_conv.c index de32d7881b0..b8508f7e12c 100644 --- a/source/blender/bmesh/intern/bmesh_mesh_conv.c +++ b/source/blender/bmesh/intern/bmesh_mesh_conv.c @@ -893,6 +893,10 @@ void BM_mesh_bm_to_me(Main *bmain, BMesh *bm, Mesh *me, const struct BMeshToMesh j = bm_to_mesh_shape_layer_index_from_kb(bm, currkey); cd_shape_offset = CustomData_get_n_offset(&bm->vdata, CD_SHAPEKEY, j); + if (cd_shape_offset < 0) { + /* The target Mesh has more shapekeys than the BMesh. */ + continue; + } fp = newkey = MEM_callocN(me->key->elemsize * bm->totvert, "currkey->data"); oldkey = currkey->data; -- cgit v1.2.3