blender
/
blender
136
405
Fork 586
Code Issues 6.2k Pull Requests 756 Projects 19 Wiki Activity

Fix reading the 3rd value of 2D cursors when transforming 

Out of bounds read and potential out-of-bounds write when transforming
the 2D cursor for image editor and sequencer.

While this didn't cause user visible bugs in my tests,
it's error prone and should be avoided.

Use TransData2D for 2D cursors.
This commit is contained in:
Campbell Barton 2021-11-08 15:14:21 +11:00
parent fb4b737518
commit de581a2302
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
source/blender/editors/transform/transform_convert_cursor.c
View File

@ -43,44 +43,51 @@
static void createTransCursor_2D_impl(TransInfo *t, float cursor_location[2])
{
TransData *td;
TransData2D *td2d;
{
BLI_assert(t->data_container_len == 1);
TransDataContainer *tc = t->data_container;
tc->data_len = 1;
td = tc->data = MEM_callocN(sizeof(TransData), "TransTexspace");
td->ext = tc->data_ext = MEM_callocN(sizeof(TransDataExtension), "TransTexspace");
td2d = tc->data_2d = MEM_callocN(tc->data_len * sizeof(TransData2D), "TransObData2D(Cursor)");
td->ext = tc->data_ext = MEM_callocN(sizeof(TransDataExtension), "TransCursorExt");
}
td->flag = TD_SELECTED;
td2d->loc2d = cursor_location;
/* UV coords are scaled by aspects (see #UVsToTransData). This also applies for the Cursor in the
* UV Editor which also means that for display and when the cursor coords are flushed
* (recalcData_cursor_image), these are converted each time. */
cursor_location[0] = cursor_location[0] * t->aspect[0];
cursor_location[1] = cursor_location[1] * t->aspect[1];
td2d->loc[0] = cursor_location[0] * t->aspect[0];
td2d->loc[1] = cursor_location[1] * t->aspect[1];
td2d->loc[2] = 0.0f;
copy_v3_v3(td->center, td2d->loc);
copy_v3_v3(td->center, cursor_location);
td->ob = NULL;
unit_m3(td->mtx);
unit_m3(td->axismtx);
pseudoinverse_m3_m3(td->smtx, td->mtx, PSEUDOINVERSE_EPSILON);
td->loc = cursor_location;
copy_v3_v3(td->iloc, cursor_location);
td->loc = td2d->loc;
copy_v3_v3(td->iloc, td2d->loc);
}
static void recalcData_cursor_2D_impl(TransInfo *t)
{
TransDataContainer *tc = t->data_container;
TransData *td = tc->data;
TransData2D *td2d = tc->data_2d;
float aspect_inv[2];
aspect_inv[0] = 1.0f / t->aspect[0];
aspect_inv[1] = 1.0f / t->aspect[1];
td->loc[0] = td->loc[0] * aspect_inv[0];
td->loc[1] = td->loc[1] * aspect_inv[1];
td2d->loc2d[0] = td->loc[0] * aspect_inv[0];
td2d->loc2d[1] = td->loc[1] * aspect_inv[1];
DEG_id_tag_update(&t->scene->id, ID_RECALC_COPY_ON_WRITE);
}