[Bf-blender-cvs] SVN commit: /data/svn/bf-blender [51529] trunk/blender/source/blender/ makesrna/intern/rna_access.c: fix for crash using an uninitialized pointer when fcurves reference missing collections (removing animated shape keys could crash).

Tue Oct 23 13:03:52 CEST 2012

Revision: 51529
          http://projects.blender.org/scm/viewvc.php?view=rev&root=bf-blender&revision=51529
Author:   campbellbarton
Date:     2012-10-23 11:03:52 +0000 (Tue, 23 Oct 2012)
Log Message:
-----------
fix for crash using an uninitialized pointer when fcurves reference missing collections (removing animated shape keys could crash).

Modified Paths:
--------------
    trunk/blender/source/blender/makesrna/intern/rna_access.c

Modified: trunk/blender/source/blender/makesrna/intern/rna_access.c
===================================================================

--- trunk/blender/source/blender/makesrna/intern/rna_access.c	2012-10-23 09:59:04 UTC (rev 51528)
+++ trunk/blender/source/blender/makesrna/intern/rna_access.c	2012-10-23 11:03:52 UTC (rev 51529)
@@ -3647,7 +3647,8 @@
 int RNA_path_resolve_full(PointerRNA *ptr, const char *path, PointerRNA *r_ptr, PropertyRNA **r_prop, int *index)
 {
 	PropertyRNA *prop;
-	PointerRNA curptr, nextptr;
+	PointerRNA curptr;
+	PointerRNA nextptr;  /* keep uninitialized, helps expose bugs in collection accessor functions */
 	char fixedbuf[256], *token;
 	int type, intkey;
 
@@ -3713,7 +3714,12 @@
 
 						/* check for "" to see if it is a string */
 						if (rna_token_strip_quotes(token)) {
-							RNA_property_collection_lookup_string(&curptr, prop, token + 1, &nextptr);
+							if (RNA_property_collection_lookup_string(&curptr, prop, token + 1, &nextptr)) {
+								/* pass */
+							}
+							else {
+								nextptr.data = NULL;
+							}
 						}
 						else {
 							/* otherwise do int lookup */
@@ -3721,7 +3727,12 @@
 							if (intkey == 0 && (token[0] != '0' || token[1] != '\0')) {
 								return 0; /* we can be sure the fixedbuf was used in this case */
 							}
-							RNA_property_collection_lookup_int(&curptr, prop, intkey, &nextptr);
+							if (RNA_property_collection_lookup_int(&curptr, prop, intkey, &nextptr)) {
+								/* pass */
+							}
+							else {
+								nextptr.data = NULL;
+							}
 						}
 
 						if (token != fixedbuf) {
@@ -3730,13 +3741,14 @@
 					}
 					else {
 						PointerRNA c_ptr;
-
-						/* ensure we quit on invalid values */
-						nextptr.data = NULL;
 	
 						if (RNA_property_collection_type_get(&curptr, prop, &c_ptr)) {
 							nextptr = c_ptr;
 						}
+						else {
+							/* ensure we quit on invalid values */
+							nextptr.data = NULL;
+						}
 					}
 					
 					if (nextptr.data) {


