[Bf-blender-cvs] [302fe4f3ad9] temp-gpu-image-engine: Fix meta-ball bound-box calculation reading past buffer bounds

Wed Dec 15 14:37:53 CET 2021

Commit: 302fe4f3ad90e2bcee4a6ca470d4dd9af4bc8490
Author: Campbell Barton
Date:   Wed Dec 15 23:39:53 2021 +1100
Branches: temp-gpu-image-engine
https://developer.blender.org/rB302fe4f3ad90e2bcee4a6ca470d4dd9af4bc8490

Fix meta-ball bound-box calculation reading past buffer bounds

This broke "test_undo.view3d_multi_mode_select" test in
"lib/tests/ui_simulate" and is likely exposed by recent changes to
bounding box calculation.

The missing check for DL_INDEX4 dates back to code from 2002 which
intended to check this but was checking for DL_INDEX3 twice
which got removed as part of a cleaned up.

This could be hidden from memory checking tools as meta-balls
over-allocate vertex arrays.

===================================================================

M	source/blender/blenkernel/intern/displist.cc

===================================================================

diff --git a/source/blender/blenkernel/intern/displist.cc b/source/blender/blenkernel/intern/displist.cc
index a8a7b5c5af3..edf043de63f 100644
--- a/source/blender/blenkernel/intern/displist.cc
+++ b/source/blender/blenkernel/intern/displist.cc
@@ -1528,7 +1528,7 @@ void BKE_displist_minmax(const ListBase *dispbase, float min[3], float max[3])
   bool doit = false;
 
   LISTBASE_FOREACH (const DispList *, dl, dispbase) {
-    const int tot = (dl->type == DL_INDEX3) ? dl->nr : dl->nr * dl->parts;
+    const int tot = (ELEM(dl->type, DL_INDEX3, DL_INDEX4)) ? dl->nr : dl->nr * dl->parts;
     for (const int i : IndexRange(tot)) {
       minmax_v3v3_v3(min, max, &dl->verts[i * 3]);
     }

