Page MenuHome

Blender crash when double click on face with subsurf modifier
Closed, ResolvedPublic


Blender Version
Broken: 6f9518f2438e
Worked: ?

Short description of error

Anytime when i enter the edit mode (Faces) and double click on a any face blender crash. The model has a subsurface modifier.

Exact steps for others to reproduce the error
Streamlined file (gotta click sometimes, but it is a single face):

Original file:

Load the scene. Enter edit mode, press "3" to get the face mode. Double click on any face. Crash.

Developer notes
SUMMARY: AddressSanitizer: heap-buffer-overflow //source/blender/editors/mesh/editmesh_select.c:309 in EDBM_select_id_bm_elem_get
Full backtrace: P993

Event Timeline

Daniel Bystedt (dbystedt) triaged this task as Confirmed, Medium priority.

I get the same crash after double clicking a couple of times, but only when subdivision modifiers "adjust edit cage to modifiers result" is on. When "adjust edit cage to modifiers result" is off I don't get a crash.

System Information
Operating system: Windows-10-10.0.17763 64 Bits
Graphics card: GeForce GTX 1080/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 419.67

Blender Version
Broken: version: 2.80 (sub 73), branch: blender2.7, commit date: 2019-05-30 17:34, hash: rB846056de6b27
Worked: (optional)

Yes. When i disable this option "adjust edit cage to modifiers result" there is no crash.

Brecht Van Lommel (brecht) raised the priority of this task from Confirmed, Medium to Needs Triage by Developer.May 31 2019, 12:55 AM
Clément Foucault (fclem) triaged this task as Confirmed, High priority.

For the records, in future reports, please attach the file directly:

This way we can re-test this bug in the future even if your google drive no longer host it.

Ok. I will do that!

@Clément Foucault (fclem) I can reproduce this in release, but not in debug ... mystery.

Dalai Felinto (dfelinto) renamed this task from Blender crash when double click on face. to Blender crash when double click on face with subsurf modifier.

Ok, so what is going on:

In EDBM_select_id_bm_elem_get() we get to Object *obedit = sel_id_ctx->bases[base_index]->object; with base_index of 1, while sel_id_ctx->bases_len is 1. Simple overflow and lack of failsafe in the for loop before.