From 3957efdd38d0d5136f8d106de3a79e07b7b0b15f Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Fri, 14 Sep 2012 06:15:46 +0000
Subject: fix for out-of-bounds checks for fcurve modifier and poselib, also
 check for NULL members of avi structure (since they are checked for NULL
 later.)

---
 source/blender/avi/intern/avi.c              | 10 ++++++----
 source/blender/blenkernel/intern/fmodifier.c |  4 ++--
 source/blender/editors/armature/poselib.c    |  2 +-
 3 files changed, 9 insertions(+), 7 deletions(-)

(limited to 'source/blender')

diff --git a/source/blender/avi/intern/avi.c b/source/blender/avi/intern/avi.c
index 39424057faf..cda2cf303eb 100644
--- a/source/blender/avi/intern/avi.c
+++ b/source/blender/avi/intern/avi.c
@@ -734,9 +734,10 @@ AviError AVI_close(AviMovie *movie)
 
 	fclose(movie->fp);
 
-	for (i = 0; i < movie->header->Streams; i++) {
-		if (movie->streams[i].sf != NULL)
+	for (i = 0; movie->header && (i < movie->header->Streams); i++) {
+		if (movie->streams && (movie->streams[i].sf != NULL)) {
 			MEM_freeN(movie->streams[i].sf);
+		}
 	}
 
 	if (movie->header != NULL)
@@ -1081,9 +1082,10 @@ AviError AVI_close_compress(AviMovie *movie)
 
 	fclose(movie->fp);
 
-	for (i = 0; i < movie->header->Streams; i++) {
-		if (movie->streams[i].sf != NULL)
+	for (i = 0; movie->header && (i < movie->header->Streams); i++) {
+		if (movie->streams && (movie->streams[i].sf != NULL)) {
 			MEM_freeN(movie->streams[i].sf);
+		}
 	}
 	if (movie->header != NULL)
 		MEM_freeN(movie->header);
diff --git a/source/blender/blenkernel/intern/fmodifier.c b/source/blender/blenkernel/intern/fmodifier.c
index 438188b1e2a..538d2469a93 100644
--- a/source/blender/blenkernel/intern/fmodifier.c
+++ b/source/blender/blenkernel/intern/fmodifier.c
@@ -965,8 +965,8 @@ FModifierTypeInfo *get_fmodifier_typeinfo(int type)
 	}
 	
 	/* only return for valid types */
-	if ( (type >= FMODIFIER_TYPE_NULL) && 
-	     (type <= FMODIFIER_NUM_TYPES) )
+	if ((type >= FMODIFIER_TYPE_NULL) &&
+	    (type <  FMODIFIER_NUM_TYPES))
 	{
 		/* there shouldn't be any segfaults here... */
 		return fmodifiersTypeInfo[type];
diff --git a/source/blender/editors/armature/poselib.c b/source/blender/editors/armature/poselib.c
index 23c987c3536..eea7424c59a 100644
--- a/source/blender/editors/armature/poselib.c
+++ b/source/blender/editors/armature/poselib.c
@@ -1006,7 +1006,7 @@ static void poselib_preview_apply(bContext *C, wmOperator *op)
 			/* get search-string */
 			index = pld->search_cursor;
 			
-			if (index >= 0 && index <= sizeof(tempstr) - 1) {
+			if (index >= 0 && index < sizeof(tempstr) - 1) {
 				memcpy(&tempstr[0], &pld->searchstr[0], index);
 				tempstr[index] = '|';
 				memcpy(&tempstr[index + 1], &pld->searchstr[index], (sizeof(tempstr) - 1) - index);
-- 
cgit v1.2.3