blender
/
blender
129
397
Fork 572
Code Issues 6.2k Pull Requests 748 Projects 19 Wiki Activity

Fix (unreported) bad memory access in read/write code of MeshDeform modifier. 

This abuse of one one size value to handle another allocated array of a
different size is bad in itself, but at least now read/write code of
this modifier should not risk invalid memory access anymore.

NOTE: invalid memory access would in practice only happen in case endian
switch would be performed at read time I think (those switches only check
for given length being non-zero, not for a NULL data pointer...).
This commit is contained in:
Bastien Montagne 2022-05-12 17:19:22 +02:00 committed by Philipp Oeser
parent 354c22b28c
commit 8f530d6a47
Notes: blender-bot 2023-02-14 01:11:05 +01:00 
Referenced by issue #88449: Blender LTS: Maintenance Task 2.93
Referenced by issue #88449, Blender LTS: Maintenance Task 2.93
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
source/blender/modifiers/intern/MOD_meshdeform.c
View File

@ -602,7 +602,14 @@ static void blendWrite(BlendWriter *writer, const ModifierData *md)
int size = mmd->dyngridsize;
BLO_write_struct_array(writer, MDefInfluence, mmd->totinfluence, mmd->bindinfluences);
BLO_write_int32_array(writer, mmd->totvert + 1, mmd->bindoffsets);
/* NOTE: `bindoffset` is abusing `totvert + 1` as its size, this becomes an incorrect value in
* case `totvert == 0`, since `bindoffset` is then NULL, not a size 1 allocated array. */
if (mmd->totvert > 0) {
BLO_write_int32_array(writer, mmd->totvert + 1, mmd->bindoffsets);
}
else {
BLI_assert(mmd->bindoffsets == NULL);
}
BLO_write_float3_array(writer, mmd->totcagevert, mmd->bindcagecos);
BLO_write_struct_array(writer, MDefCell, size * size * size, mmd->dyngrid);
BLO_write_struct_array(writer, MDefInfluence, mmd->totinfluence, mmd->dyninfluences);
@ -614,7 +621,11 @@ static void blendRead(BlendDataReader *reader, ModifierData *md)
MeshDeformModifierData *mmd = (MeshDeformModifierData *)md;
BLO_read_data_address(reader, &mmd->bindinfluences);
BLO_read_int32_array(reader, mmd->totvert + 1, &mmd->bindoffsets);
/* NOTE: `bindoffset` is abusing `totvert + 1` as its size, this becomes an incorrect value in
* case `totvert == 0`, since `bindoffset` is then NULL, not a size 1 allocated array. */
if (mmd->totvert > 0) {
BLO_read_int32_array(reader, mmd->totvert + 1, &mmd->bindoffsets);
}
BLO_read_float3_array(reader, mmd->totcagevert, &mmd->bindcagecos);
BLO_read_data_address(reader, &mmd->dyngrid);
BLO_read_data_address(reader, &mmd->dyninfluences);