Page MenuHome

Heap Buffer Overflow Using Boundary Brush
Closed, ResolvedPublicBUG

Description

System Information
Operating system: Fedora 32
Graphics card: GTX 1080

Blender Version
Broken: 2.91
Worked: N/A

Short description of error
Heap buffer overflow when using the boundary brush with a subsurf modifier

Exact steps for others to reproduce the error

  1. Delete the bottom face of the default cube
  2. Add a subsurf modifier. Level 3 or 4 should work
  3. Sculpt mode -> Boundary brush
  4. Click around a bit, moving the boundary
==524849==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000307bf8 at pc 0x0000075d3e43 bp 0x7ffcb535b270 sp 0x7ffcb535b260
READ of size 8 at 0x60d000307bf8 thread T0
    #0 0x75d3e42 in SCULPT_vertex_all_face_sets_visible_get /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:419
    #1 0x75defec in SCULPT_vertex_is_boundary /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:823
    #2 0x76a9440 in sculpt_boundary_get_closest_boundary_vertex /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt_boundary.c:103
    #3 0x76af9f8 in SCULPT_boundary_data_init /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt_boundary.c:491
    #4 0x76c45de in SCULPT_do_boundary_brush /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt_boundary.c:854
    #5 0x766864b in do_brush_action /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:5785
    #6 0x767387c in do_tiled /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:6143
    #7 0x76751dc in do_symmetrical_brush_actions /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:6224
    #8 0x768923a in sculpt_stroke_update_step /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:7569
    #9 0x75446b9 in paint_brush_stroke_add_step /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_stroke.c:620
    #10 0x7550321 in paint_stroke_modal /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_stroke.c:1486
    #11 0x474501d in wm_handler_operator_call /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_event_system.c:2030
    #12 0x474dfa8 in wm_handlers_do_intern /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_event_system.c:2814
    #13 0x474e24a in wm_handlers_do /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_event_system.c:2862
    #14 0x4753913 in wm_event_do_handlers /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_event_system.c:3287
    #15 0x47225d1 in WM_main /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm.c:475
    #16 0x33c66d8 in main /home/hans/Documents/Blender-Git/blender/source/creator/creator.c:546
    #17 0x7f3e603ae041 in __libc_start_main (/lib64/libc.so.6+0x27041)
    #18 0x33c5a8d in _start (/home/hans/Documents/Blender-Git/build_linux_debug/bin/blender+0x33c5a8d)

0x60d000307bf8 is located 8 bytes to the left of 136-byte region [0x60d000307c00,0x60d000307c88)
allocated by thread T0 here:
    #0 0x7f3e609c9837 in __interceptor_calloc (/lib64/libasan.so.6+0xb0837)
    #1 0x1e793aa1 in MEM_lockfree_callocN /home/hans/Documents/Blender-Git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:235
    #2 0x46125d3 in mesh_vert_poly_or_loop_map_create /home/hans/Documents/Blender-Git/blender/source/blender/blenkernel/intern/mesh_mapping.c:213
    #3 0x4613257 in BKE_mesh_vert_poly_map_create /home/hans/Documents/Blender-Git/blender/source/blender/blenkernel/intern/mesh_mapping.c:266
    #4 0x3804412 in sculpt_update_object /home/hans/Documents/Blender-Git/blender/source/blender/blenkernel/intern/paint.c:1583
    #5 0x3805bfd in BKE_sculpt_update_object_for_edit /home/hans/Documents/Blender-Git/blender/source/blender/blenkernel/intern/paint.c:1708
    #6 0x768166c in SCULPT_stroke_modifiers_check /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:6959
    #7 0x76833cb in SCULPT_cursor_geometry_info_update /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:7104
    #8 0x77ee014 in paint_cursor_sculpt_session_update_and_init /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_cursor.c:1364
    #9 0x77f5c41 in paint_cursor_draw_3D_view_brush_cursor /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_cursor.c:1782
    #10 0x77f703e in paint_draw_cursor /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_cursor.c:1904
    #11 0x4728ae6 in wm_paintcursor_draw /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_draw.c:121
    #12 0x472fa83 in wm_draw_window_onscreen /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_draw.c:776
    #13 0x4730069 in wm_draw_window /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_draw.c:827
    #14 0x47314ad in wm_draw_update /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_draw.c:1027
    #15 0x47225e9 in WM_main /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm.c:481
    #16 0x33c66d8 in main /home/hans/Documents/Blender-Git/blender/source/creator/creator.c:546
    #17 0x7f3e603ae041 in __libc_start_main (/lib64/libc.so.6+0x27041)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:419 in SCULPT_vertex_all_face_sets_visible_get
Shadow bytes around the buggy address:
  0x0c1a80058f20: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c1a80058f30: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80058f40: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1a80058f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1a80058f60: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c1a80058f70: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa[fa]
  0x0c1a80058f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a80058f90: 00 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1a80058fa0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1a80058fb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80058fc0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==524849==ABORTING

In a non-debug build this resulted in a crash, so that might be the result too.

Event Timeline

Hans Goudey (HooglyBoogly) changed the task status from Needs Triage to Confirmed.Aug 13 2020, 6:32 PM
Hans Goudey (HooglyBoogly) triaged this task as High priority.
Hans Goudey (HooglyBoogly) created this task.
Hans Goudey (HooglyBoogly) changed the subtype of this task from "Report" to "Bug".

I can't reproduce this. Does this still happen? In case it does, does D8819 fix it?

I can still reproduce this, and it still crashes in non-debug builds. Here is a quick video. I realized I don't actually need the subdiv modifier. Sometimes I have to click around more than this to trigger it,