From bf5e717ef5617c597710c2836b511f9f089fcfc2 Mon Sep 17 00:00:00 2001 From: Sergey Sharybin Date: Fri, 26 May 2017 11:27:27 +0200 Subject: Fix T51609: Bake Texture, Margin crashing Blender Integer overflow in margin filter code. --- source/blender/imbuf/intern/filter.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source') diff --git a/source/blender/imbuf/intern/filter.c b/source/blender/imbuf/intern/filter.c index 1987c6d2a9a..38609d0a342 100644 --- a/source/blender/imbuf/intern/filter.c +++ b/source/blender/imbuf/intern/filter.c @@ -406,7 +406,7 @@ void IMB_filter_extend(struct ImBuf *ibuf, char *mask, int filter) const int height = ibuf->y; const int depth = 4; /* always 4 channels */ const int chsize = ibuf->rect_float ? sizeof(float) : sizeof(unsigned char); - const int bsize = width * height * depth * chsize; + const size_t bsize = ((size_t)width) * height * depth * chsize; const bool is_float = (ibuf->rect_float != NULL); void *dstbuf = (void *) MEM_dupallocN(ibuf->rect_float ? (void *) ibuf->rect_float : (void *) ibuf->rect); char *dstmask = mask == NULL ? NULL : (char *) MEM_dupallocN(mask); @@ -499,7 +499,9 @@ void IMB_filter_extend(struct ImBuf *ibuf, char *mask, int filter) /* keep the original buffer up to date. */ memcpy(srcbuf, dstbuf, bsize); - if (dstmask != NULL) memcpy(srcmask, dstmask, width * height); + if (dstmask != NULL) { + memcpy(srcmask, dstmask, ((size_t)width) * height); + } } /* free memory */ -- cgit v1.2.3 From bddd9d809d2c291eb0a92220195908c51ae2ce80 Mon Sep 17 00:00:00 2001 From: lazydodo Date: Fri, 26 May 2017 06:26:21 -0600 Subject: Fix integer overflows in meshcache modifier. Differential Revision: https://developer.blender.org/D2688 --- source/blender/modifiers/intern/MOD_meshcache_mdd.c | 5 ++++- source/blender/modifiers/intern/MOD_meshcache_pc2.c | 6 +++++- 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'source') diff --git a/source/blender/modifiers/intern/MOD_meshcache_mdd.c b/source/blender/modifiers/intern/MOD_meshcache_mdd.c index 90fc750de3b..3dd3a5fc598 100644 --- a/source/blender/modifiers/intern/MOD_meshcache_mdd.c +++ b/source/blender/modifiers/intern/MOD_meshcache_mdd.c @@ -35,6 +35,9 @@ #ifdef __LITTLE_ENDIAN__ # include "BLI_endian_switch.h" #endif +#ifdef WIN32 +# include "BLI_winstuff.h" +#endif #include "MOD_meshcache_util.h" /* own include */ @@ -157,7 +160,7 @@ bool MOD_meshcache_read_mdd_index(FILE *fp, return false; } - if (fseek(fp, index * mdd_head.verts_tot * sizeof(float) * 3, SEEK_CUR) != 0) { + if (fseek(fp, sizeof(float) * 3 * index * mdd_head.verts_tot, SEEK_CUR) != 0) { *err_str = "Failed to seek frame"; return false; } diff --git a/source/blender/modifiers/intern/MOD_meshcache_pc2.c b/source/blender/modifiers/intern/MOD_meshcache_pc2.c index 219eae4ecca..8360c8ffda7 100644 --- a/source/blender/modifiers/intern/MOD_meshcache_pc2.c +++ b/source/blender/modifiers/intern/MOD_meshcache_pc2.c @@ -35,6 +35,10 @@ # include "BLI_endian_switch.h" #endif +#ifdef WIN32 +# include "BLI_winstuff.h" +#endif + #include "MOD_meshcache_util.h" /* own include */ #include "DNA_modifier_types.h" @@ -142,7 +146,7 @@ bool MOD_meshcache_read_pc2_index(FILE *fp, return false; } - if (fseek(fp, index * pc2_head.verts_tot * sizeof(float) * 3, SEEK_CUR) != 0) { + if (fseek(fp, sizeof(float) * 3 * index * pc2_head.verts_tot , SEEK_CUR) != 0) { *err_str = "Failed to seek frame"; return false; } -- cgit v1.2.3 From ac66fb193f80847fd4fc1b46413ebb3199ebbf1b Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Fri, 26 May 2017 23:19:33 +1000 Subject: Fix freeing all custom-data layers Would crash when the active index was out of range, since there is no reason to use the active layer when freeing all, free the first instead. --- source/blender/blenkernel/intern/customdata.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) (limited to 'source') diff --git a/source/blender/blenkernel/intern/customdata.c b/source/blender/blenkernel/intern/customdata.c index 7c3f0ac630d..331714301d5 100644 --- a/source/blender/blenkernel/intern/customdata.c +++ b/source/blender/blenkernel/intern/customdata.c @@ -1944,11 +1944,16 @@ void *CustomData_add_layer_named(CustomData *data, int type, int alloctype, bool CustomData_free_layer(CustomData *data, int type, int totelem, int index) { - const int n = index - CustomData_get_layer_index(data, type); - int i; - - if (index < 0) + if (index < 0) { + return false; + } + const int index_first = CustomData_get_layer_index(data, type); + if (index_first == -1) { return false; + } + + const int n = index - index_first; + int i; customData_free_layer__internal(&data->layers[index], totelem); @@ -1993,8 +1998,10 @@ bool CustomData_free_layer_active(CustomData *data, int type, int totelem) void CustomData_free_layers(CustomData *data, int type, int totelem) { - while (CustomData_has_layer(data, type)) - CustomData_free_layer_active(data, type, totelem); + const int index = CustomData_get_layer_index(data, type); + while (CustomData_free_layer(data, type, totelem, index)) { + /* pass */ + } } bool CustomData_has_layer(const CustomData *data, int type) -- cgit v1.2.3