[Bf-blender-cvs] SVN commit: /data/svn/bf-blender [33986] trunk/blender/source/blender/ makesrna/intern: Bugfix #25437

Ton Roosendaal ton at blender.org
Sat Jan 1 14:49:22 CET 2011


Revision: 33986
          http://projects.blender.org/plugins/scmsvn/viewcvs.php?view=rev&root=bf-blender&revision=33986
Author:   ton
Date:     2011-01-01 14:49:22 +0100 (Sat, 01 Jan 2011)

Log Message:
-----------
Bugfix #25437

Crash in Bezier animation (inserting keys on control points in
curve object). The animation rna paths were not fixed after an
editmode session, which got fixed 2 weeks ago, but for all older
binaries the issue can still pop up.

The crash happened because the RNA array-itterator was not doing
a boundary check, even whilst the array size was passed on to the
itterator callbacks. With rna then writing far outside of valid
memory, very bad and unpredictable corruptions happen.

I've added a range check now, and a decent print to denote the
issue. An assert quit is useless, since a tab-tab on curve objects
will fix the channels nicely.

Example of warning print:
Array itterator out of range: Spline_bezier_points_lookup_int (index 30 range 2)

Modified Paths:
--------------
    trunk/blender/source/blender/makesrna/intern/makesrna.c
    trunk/blender/source/blender/makesrna/intern/rna_access.c
    trunk/blender/source/blender/makesrna/intern/rna_internal.h

Modified: trunk/blender/source/blender/makesrna/intern/makesrna.c
===================================================================
--- trunk/blender/source/blender/makesrna/intern/makesrna.c	2011-01-01 13:20:35 UTC (rev 33985)
+++ trunk/blender/source/blender/makesrna/intern/makesrna.c	2011-01-01 13:49:22 UTC (rev 33986)
@@ -971,7 +971,10 @@
 
 	if(strcmp(nextfunc, "rna_iterator_array_next") == 0) {
 		fprintf(f, "		ArrayIterator *internal= iter.internal;\n");
-		fprintf(f, "		if(internal->skip) {\n");
+		fprintf(f, "		if(index < 0 || index >= internal->length) {\n");
+		fprintf(f, "			printf(\"Array itterator out of range: %%s (index %%d range %%d)\\n\", __func__, index, internal->length);  \n");
+		fprintf(f, "		}\n");
+		fprintf(f, "		else if(internal->skip) {\n");
 		fprintf(f, "			while(index-- > 0) {\n");
 		fprintf(f, "				do {\n");
 		fprintf(f, "					internal->ptr += internal->itemsize;\n");
@@ -2389,6 +2392,7 @@
 				  "#define RNA_RUNTIME\n\n");
 
 	fprintf(f, "#include <float.h>\n");
+	fprintf(f, "#include <stdio.h>\n");
 	fprintf(f, "#include <limits.h>\n");
 	fprintf(f, "#include <string.h>\n\n");
 	fprintf(f, "#include <stddef.h>\n\n");

Modified: trunk/blender/source/blender/makesrna/intern/rna_access.c
===================================================================
--- trunk/blender/source/blender/makesrna/intern/rna_access.c	2011-01-01 13:20:35 UTC (rev 33985)
+++ trunk/blender/source/blender/makesrna/intern/rna_access.c	2011-01-01 13:49:22 UTC (rev 33986)
@@ -2828,7 +2828,8 @@
 	internal->endptr= ((char*)ptr)+length*itemsize;
 	internal->itemsize= itemsize;
 	internal->skip= skip;
-
+	internal->length= length;
+	
 	iter->internal= internal;
 	iter->valid= (internal->ptr != internal->endptr);
 

Modified: trunk/blender/source/blender/makesrna/intern/rna_internal.h
===================================================================
--- trunk/blender/source/blender/makesrna/intern/rna_internal.h	2011-01-01 13:20:35 UTC (rev 33985)
+++ trunk/blender/source/blender/makesrna/intern/rna_internal.h	2011-01-01 13:49:22 UTC (rev 33986)
@@ -324,6 +324,7 @@
 	char *endptr;
 	void *free_ptr; /* will be free'd if set */
 	int itemsize;
+	int length;
 	IteratorSkipFunc skip;
 } ArrayIterator;
 





More information about the Bf-blender-cvs mailing list