[Bf-blender-cvs] SVN commit: /data/svn/bf-blender [51805] trunk/blender/source/blender: fix for possible buffer overflow in gpu_nodes_get_vertex_attributes() and hair_velocity_smoothing()
Campbell Barton
ideasman42 at gmail.com
Thu Nov 1 10:56:19 CET 2012
Revision: 51805
http://projects.blender.org/scm/viewvc.php?view=rev&root=bf-blender&revision=51805
Author: campbellbarton
Date: 2012-11-01 09:56:18 +0000 (Thu, 01 Nov 2012)
Log Message:
-----------
fix for possible buffer overflow in gpu_nodes_get_vertex_attributes() and hair_velocity_smoothing()
and a unlikely NULL pointer dereference in unlink_material_cb().
Modified Paths:
--------------
trunk/blender/source/blender/blenkernel/intern/implicit.c
trunk/blender/source/blender/blenkernel/intern/mball.c
trunk/blender/source/blender/editors/animation/fmodifier_ui.c
trunk/blender/source/blender/editors/space_outliner/outliner_tools.c
trunk/blender/source/blender/gpu/intern/gpu_codegen.c
trunk/blender/source/blender/windowmanager/intern/wm_event_system.c
Modified: trunk/blender/source/blender/blenkernel/intern/implicit.c
===================================================================
--- trunk/blender/source/blender/blenkernel/intern/implicit.c 2012-11-01 09:54:00 UTC (rev 51804)
+++ trunk/blender/source/blender/blenkernel/intern/implicit.c 2012-11-01 09:56:18 UTC (rev 51805)
@@ -1513,7 +1513,7 @@
i = HAIR_GRID_INDEX(lX[v], gmin, gmax, 0);
j = HAIR_GRID_INDEX(lX[v], gmin, gmax, 1);
k = HAIR_GRID_INDEX(lX[v], gmin, gmax, 2);
- if (i < 0 || j < 0 || k < 0 || i > 10 || j >= 10 || k >= 10)
+ if (i < 0 || j < 0 || k < 0 || i > 10 || j > 10 || k > 10)
continue;
lF[v][0] += smoothfac * (grid[i][j][k].velocity[0] - lV[v][0]);
Modified: trunk/blender/source/blender/blenkernel/intern/mball.c
===================================================================
--- trunk/blender/source/blender/blenkernel/intern/mball.c 2012-11-01 09:54:00 UTC (rev 51804)
+++ trunk/blender/source/blender/blenkernel/intern/mball.c 2012-11-01 09:56:18 UTC (rev 51805)
@@ -1319,12 +1319,16 @@
static void vnormal(const float point[3], PROCESS *p, float r_no[3])
{
- float delta = 0.2f * p->delta;
- float f = p->function(point[0], point[1], point[2]);
+ const float delta = 0.2f * p->delta;
+ const float f = p->function(point[0], point[1], point[2]);
r_no[0] = p->function(point[0] + delta, point[1], point[2]) - f;
r_no[1] = p->function(point[0], point[1] + delta, point[2]) - f;
r_no[2] = p->function(point[0], point[1], point[2] + delta) - f;
+
+#if 1
+ normalize_v3(r_no);
+#else
f = normalize_v3(r_no);
if (0) {
@@ -1343,6 +1347,7 @@
normalize_v3(r_no);
}
}
+#endif
}
Modified: trunk/blender/source/blender/editors/animation/fmodifier_ui.c
===================================================================
--- trunk/blender/source/blender/editors/animation/fmodifier_ui.c 2012-11-01 09:54:00 UTC (rev 51804)
+++ trunk/blender/source/blender/editors/animation/fmodifier_ui.c 2012-11-01 09:56:18 UTC (rev 51805)
@@ -167,7 +167,7 @@
uiDefBut(block, LABEL, 1, "y =", 0, 0, 40, 20, NULL, 0.0, 0.0, 0, 0, "");
/* coefficient */
- uiDefButF(block, NUM, B_FMODIFIER_REDRAW, "", 0, 0, bwidth/2, 20, cp, -UI_FLT_MAX, UI_FLT_MAX,
+ uiDefButF(block, NUM, B_FMODIFIER_REDRAW, "", 0, 0, bwidth / 2, 20, cp, -UI_FLT_MAX, UI_FLT_MAX,
10, 3, TIP_("Coefficient for polynomial"));
/* 'x' param (and '+' if necessary) */
Modified: trunk/blender/source/blender/editors/space_outliner/outliner_tools.c
===================================================================
--- trunk/blender/source/blender/editors/space_outliner/outliner_tools.c 2012-11-01 09:54:00 UTC (rev 51804)
+++ trunk/blender/source/blender/editors/space_outliner/outliner_tools.c 2012-11-01 09:56:18 UTC (rev 51805)
@@ -158,11 +158,16 @@
totcol = mb->totcol;
matar = mb->mat;
}
+ else {
+ BLI_assert(0);
+ }
- for (a = 0; a < totcol; a++) {
- if (a == te->index && matar[a]) {
- matar[a]->id.us--;
- matar[a] = NULL;
+ if (LIKELY(matar != NULL)) {
+ for (a = 0; a < totcol; a++) {
+ if (a == te->index && matar[a]) {
+ matar[a]->id.us--;
+ matar[a] = NULL;
+ }
}
}
}
Modified: trunk/blender/source/blender/gpu/intern/gpu_codegen.c
===================================================================
--- trunk/blender/source/blender/gpu/intern/gpu_codegen.c 2012-11-01 09:54:00 UTC (rev 51804)
+++ trunk/blender/source/blender/gpu/intern/gpu_codegen.c 2012-11-01 09:56:18 UTC (rev 51805)
@@ -1046,17 +1046,20 @@
}
}
- if (a == attribs->totlayer && a < GPU_MAX_ATTRIB) {
- input->attribid = attribs->totlayer++;
- input->attribfirst = 1;
+ if (a < GPU_MAX_ATTRIB) {
+ if (a == attribs->totlayer) {
+ input->attribid = attribs->totlayer++;
+ input->attribfirst = 1;
- attribs->layer[a].type = input->attribtype;
- attribs->layer[a].attribid = input->attribid;
- BLI_strncpy(attribs->layer[a].name, input->attribname,
- sizeof(attribs->layer[a].name));
+ attribs->layer[a].type = input->attribtype;
+ attribs->layer[a].attribid = input->attribid;
+ BLI_strncpy(attribs->layer[a].name, input->attribname,
+ sizeof(attribs->layer[a].name));
+ }
+ else {
+ input->attribid = attribs->layer[a].attribid;
+ }
}
- else
- input->attribid = attribs->layer[a].attribid;
}
}
}
Modified: trunk/blender/source/blender/windowmanager/intern/wm_event_system.c
===================================================================
--- trunk/blender/source/blender/windowmanager/intern/wm_event_system.c 2012-11-01 09:54:00 UTC (rev 51804)
+++ trunk/blender/source/blender/windowmanager/intern/wm_event_system.c 2012-11-01 09:56:18 UTC (rev 51805)
@@ -2802,7 +2802,7 @@
event.y = evt->y = (win->sizey - 1) - cy;
}
- event.val= 0;
+ event.val = 0;
/* Use prevx/prevy so we can calculate the delta later */
event.prevx = event.x - pd->deltaX;
More information about the Bf-blender-cvs
mailing list