From b51562ed76d5428ed4d511cd248d1b059e341661 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= Date: Thu, 8 Apr 2021 18:54:55 +0200 Subject: Fix T87232: Crash when evaluating object with unsupported modifier Fix `nullptr` redeference when setting 'orig_data' pointers on CoW copies, by stopping the loop also when `element_cow == nullptr`. This avoids a crash of Blender when the original list of pointers is longer than the CoW list of pointers. I've also added a `BLI_assert()` that checks for equal lengths of the two `ListBase`s, so that problems like these aren't hidden away completely. The root cause of the crash was actually a modifier that was assigned to an object of the wrong type (an Armature object doesn't support modifiers). This caused the list of modifiers on the CoW copy to be shorter than the list of modifiers on the original Object. It's still a mystery how that object got that modifier in the first place. --- source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc') diff --git a/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc b/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc index 2544bb1642c..e1959c8bf5e 100644 --- a/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc +++ b/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc @@ -653,11 +653,17 @@ void update_list_orig_pointers(const ListBase *listbase_orig, { T *element_orig = reinterpret_cast(listbase_orig->first); T *element_cow = reinterpret_cast(listbase->first); - while (element_orig != nullptr) { + + /* Both lists should have the same number of elements, so the check on + * `element_cow` is just to prevent a crash if this is not the case. */ + while (element_orig != nullptr && element_cow != nullptr) { element_cow->*orig_field = element_orig; element_cow = element_cow->next; element_orig = element_orig->next; } + + BLI_assert((element_orig == nullptr && element_cow == nullptr) || + !"list of pointers of different sizes, unable to reliably set orig pointer"); } void update_particle_system_orig_pointers(const Object *object_orig, Object *object_cow) -- cgit v1.2.3