Fix T103942 ASAN crash in math_boolean function.

The code in questions comes from Shewchuk's triangle code, which hasn't been updated to fix the out-of-buffer access problem that ASAN finds in the delaunay unit test. The problem is benign: the code would exit the loop before using the value fetched from beyond the end of the buffer, but to make ASAN happy, I put in a couple extra tests to not fetch values that aren't going to be used.
Referenced by issue #103942, ASAN error/crash invalid memory access
2023-01-22 12:48:45 -05:00 · 2023-01-22 12:48:45 -05:00 · 3a2899cc31 · 2023-06-07 10:31:13 +02:00
parent b544199c56
commit 3a2899cc31
1 changed files with 12 additions and 4 deletions
--- a/source/blender/blenlib/intern/math_boolean.cc
+++ b/source/blender/blenlib/intern/math_boolean.cc
@ -501,11 +501,15 @@ static int fast_expansion_sum_zeroelim(
    while ((eindex < elen) && (findex < flen)) {
      if ((fnow > enow) == (fnow > -enow)) {
        Two_Sum(Q, enow, Qnew, hh);
-        enow = e[++eindex];
+        if (++eindex < elen) {
+          enow = e[eindex];
+        }
      }
      else {
        Two_Sum(Q, fnow, Qnew, hh);
-        fnow = f[++findex];
+        if (++findex < flen) {
+          fnow = f[findex];
+        }
      }
      Q = Qnew;
      if (hh != 0.0) {
@ -515,7 +519,9 @@ static int fast_expansion_sum_zeroelim(
  }
  while (eindex < elen) {
    Two_Sum(Q, enow, Qnew, hh);
-    enow = e[++eindex];
+    if (++eindex < elen) {
+      enow = e[eindex];
+    }
    Q = Qnew;
    if (hh != 0.0) {
      h[hindex++] = hh;
@ -523,7 +529,9 @@ static int fast_expansion_sum_zeroelim(
  }
  while (findex < flen) {
    Two_Sum(Q, fnow, Qnew, hh);
-    fnow = f[++findex];
+    if (++findex < flen) {
+      fnow = f[findex];
+    }
    Q = Qnew;
    if (hh != 0.0) {
      h[hindex++] = hh;