From de581a2302297c5e235cd6dfc51760ac7225827c Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Mon, 8 Nov 2021 15:14:21 +1100
Subject: Fix reading the 3rd value of 2D cursors when transforming

Out of bounds read and potential out-of-bounds write when transforming
the 2D cursor for image editor and sequencer.

While this didn't cause user visible bugs in my tests,
it's error prone and should be avoided.

Use TransData2D for 2D cursors.
---
 .../editors/transform/transform_convert_cursor.c   | 23 ++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

(limited to 'source/blender/editors')

diff --git a/source/blender/editors/transform/transform_convert_cursor.c b/source/blender/editors/transform/transform_convert_cursor.c
index ed96eba7f6c..4846e8d2d1a 100644
--- a/source/blender/editors/transform/transform_convert_cursor.c
+++ b/source/blender/editors/transform/transform_convert_cursor.c
@@ -43,44 +43,51 @@
 static void createTransCursor_2D_impl(TransInfo *t, float cursor_location[2])
 {
   TransData *td;
+  TransData2D *td2d;
   {
     BLI_assert(t->data_container_len == 1);
     TransDataContainer *tc = t->data_container;
     tc->data_len = 1;
     td = tc->data = MEM_callocN(sizeof(TransData), "TransTexspace");
-    td->ext = tc->data_ext = MEM_callocN(sizeof(TransDataExtension), "TransTexspace");
+    td2d = tc->data_2d = MEM_callocN(tc->data_len * sizeof(TransData2D), "TransObData2D(Cursor)");
+    td->ext = tc->data_ext = MEM_callocN(sizeof(TransDataExtension), "TransCursorExt");
   }
 
   td->flag = TD_SELECTED;
 
+  td2d->loc2d = cursor_location;
+
   /* UV coords are scaled by aspects (see #UVsToTransData). This also applies for the Cursor in the
    * UV Editor which also means that for display and when the cursor coords are flushed
    * (recalcData_cursor_image), these are converted each time. */
-  cursor_location[0] = cursor_location[0] * t->aspect[0];
-  cursor_location[1] = cursor_location[1] * t->aspect[1];
+  td2d->loc[0] = cursor_location[0] * t->aspect[0];
+  td2d->loc[1] = cursor_location[1] * t->aspect[1];
+  td2d->loc[2] = 0.0f;
+
+  copy_v3_v3(td->center, td2d->loc);
 
-  copy_v3_v3(td->center, cursor_location);
   td->ob = NULL;
 
   unit_m3(td->mtx);
   unit_m3(td->axismtx);
   pseudoinverse_m3_m3(td->smtx, td->mtx, PSEUDOINVERSE_EPSILON);
 
-  td->loc = cursor_location;
-  copy_v3_v3(td->iloc, cursor_location);
+  td->loc = td2d->loc;
+  copy_v3_v3(td->iloc, td2d->loc);
 }
 
 static void recalcData_cursor_2D_impl(TransInfo *t)
 {
   TransDataContainer *tc = t->data_container;
   TransData *td = tc->data;
+  TransData2D *td2d = tc->data_2d;
   float aspect_inv[2];
 
   aspect_inv[0] = 1.0f / t->aspect[0];
   aspect_inv[1] = 1.0f / t->aspect[1];
 
-  td->loc[0] = td->loc[0] * aspect_inv[0];
-  td->loc[1] = td->loc[1] * aspect_inv[1];
+  td2d->loc2d[0] = td->loc[0] * aspect_inv[0];
+  td2d->loc2d[1] = td->loc[1] * aspect_inv[1];
 
   DEG_id_tag_update(&t->scene->id, ID_RECALC_COPY_ON_WRITE);
 }
-- 
cgit v1.2.3