From 39067824060f83d1da66df7bf8d779e9ebe7c76e Mon Sep 17 00:00:00 2001
From: Antony Riakiotakis <kalast@gmail.com>
Date: Tue, 23 Sep 2014 19:05:31 +0200
Subject: Fix possible buffer overflow in selection code. We want to copy the
 number of selected data since the offset, not the offset!

---
 source/blender/editors/space_view3d/view3d_select.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'source/blender/editors/space_view3d/view3d_select.c')

diff --git a/source/blender/editors/space_view3d/view3d_select.c b/source/blender/editors/space_view3d/view3d_select.c
index 46ea52054c5..c26ce276dc3 100644
--- a/source/blender/editors/space_view3d/view3d_select.c
+++ b/source/blender/editors/space_view3d/view3d_select.c
@@ -1181,14 +1181,14 @@ static short selectbuffer_ret_hits_15(unsigned int *UNUSED(buffer), const short
 static short selectbuffer_ret_hits_9(unsigned int *buffer, const short hits15, const short hits9)
 {
 	const int offs = 4 * hits15;
-	memcpy(buffer, buffer + offs, 4 * offs);
+	memcpy(buffer, buffer + offs, 4 * hits9);
 	return hits9;
 }
 
 static short selectbuffer_ret_hits_5(unsigned int *buffer, const short hits15, const short hits9, const short hits5)
 {
 	const int offs = 4 * hits15 + 4 * hits9;
-	memcpy(buffer, buffer + offs, 4 * offs);
+	memcpy(buffer, buffer + offs, 4 * hits5);
 	return hits5;
 }
 
-- 
cgit v1.2.3