Fix T94674: crash reading ORCOs from an Alembic animation

The crash is caused as the data is only for the first frame, but the mesh changes topology, so reading the data in subsequent frames causes a buffer overflow. To fix this, we check that the data size matches the mesh's vertex count.
Referenced by issue #94674, Playback of Alembic file results in an EXCEPTION_ACCESS_VIOLATION crash within the tbbmalloc.dll module
2022-01-06 11:47:40 +01:00 · 2022-01-06 11:47:40 +01:00 · 88e15ff1e6 · 2024-01-16 18:05:25 +01:00
parent ed3fecae8e
commit 88e15ff1e6
1 changed files with 6 additions and 0 deletions
--- a/source/blender/io/alembic/intern/abc_customdata.cc
+++ b/source/blender/io/alembic/intern/abc_customdata.cc
@ -545,6 +545,12 @@ void read_generated_coordinates(const ICompoundProperty &prop,
  const size_t totvert = abc_ocro.get()->size();
  Mesh *mesh = config.mesh;

+  if (totvert != mesh->totvert) {
+    /* Either the data is somehow corrupted, or we have a dynamic simulation where only the ORCOs
+     * for the first frame were exported. */
+    return;
+  }
+
  void *cd_data;
  if (CustomData_has_layer(&mesh->vdata, CD_ORCO)) {
    cd_data = CustomData_get_layer(&mesh->vdata, CD_ORCO);