[Bf-blender-cvs] [0969dcc861a] blender-v3.0-release: Fix reading the 3rd value of 2D cursors when transforming

Campbell Barton noreply at git.blender.org
Mon Nov 8 05:23:00 CET 2021 

Commit: 0969dcc861a50f321e3f69151c15df7c73c76552
Author: Campbell Barton
Date:   Mon Nov 8 15:14:21 2021 +1100
Branches: blender-v3.0-release
https://developer.blender.org/rB0969dcc861a50f321e3f69151c15df7c73c76552

Fix reading the 3rd value of 2D cursors when transforming

Out of bounds read and potential out-of-bounds write when transforming
the 2D cursor for image editor and sequencer.

While this didn't cause user visible bugs in my tests,
it's error prone and should be avoided.

Use TransData2D for 2D cursors.

===================================================================

M	source/blender/editors/transform/transform_convert_cursor.c

===================================================================

diff --git a/source/blender/editors/transform/transform_convert_cursor.c b/source/blender/editors/transform/transform_convert_cursor.c
index ed96eba7f6c..4846e8d2d1a 100644
--- a/source/blender/editors/transform/transform_convert_cursor.c
+++ b/source/blender/editors/transform/transform_convert_cursor.c
@@ -43,44 +43,51 @@
 static void createTransCursor_2D_impl(TransInfo *t, float cursor_location[2])
 {
   TransData *td;
+  TransData2D *td2d;
   {
     BLI_assert(t->data_container_len == 1);
     TransDataContainer *tc = t->data_container;
     tc->data_len = 1;
     td = tc->data = MEM_callocN(sizeof(TransData), "TransTexspace");
-    td->ext = tc->data_ext = MEM_callocN(sizeof(TransDataExtension), "TransTexspace");
+    td2d = tc->data_2d = MEM_callocN(tc->data_len * sizeof(TransData2D), "TransObData2D(Cursor)");
+    td->ext = tc->data_ext = MEM_callocN(sizeof(TransDataExtension), "TransCursorExt");
   }
 
   td->flag = TD_SELECTED;
 
+  td2d->loc2d = cursor_location;
+
   /* UV coords are scaled by aspects (see #UVsToTransData). This also applies for the Cursor in the
    * UV Editor which also means that for display and when the cursor coords are flushed
    * (recalcData_cursor_image), these are converted each time. */
-  cursor_location[0] = cursor_location[0] * t->aspect[0];
-  cursor_location[1] = cursor_location[1] * t->aspect[1];
+  td2d->loc[0] = cursor_location[0] * t->aspect[0];
+  td2d->loc[1] = cursor_location[1] * t->aspect[1];
+  td2d->loc[2] = 0.0f;
+
+  copy_v3_v3(td->center, td2d->loc);
 
-  copy_v3_v3(td->center, cursor_location);
   td->ob = NULL;
 
   unit_m3(td->mtx);
   unit_m3(td->axismtx);
   pseudoinverse_m3_m3(td->smtx, td->mtx, PSEUDOINVERSE_EPSILON);
 
-  td->loc = cursor_location;
-  copy_v3_v3(td->iloc, cursor_location);
+  td->loc = td2d->loc;
+  copy_v3_v3(td->iloc, td2d->loc);
 }
 
 static void recalcData_cursor_2D_impl(TransInfo *t)
 {
   TransDataContainer *tc = t->data_container;
   TransData *td = tc->data;
+  TransData2D *td2d = tc->data_2d;
   float aspect_inv[2];
 
   aspect_inv[0] = 1.0f / t->aspect[0];
   aspect_inv[1] = 1.0f / t->aspect[1];
 
-  td->loc[0] = td->loc[0] * aspect_inv[0];
-  td->loc[1] = td->loc[1] * aspect_inv[1];
+  td2d->loc2d[0] = td->loc[0] * aspect_inv[0];
+  td2d->loc2d[1] = td->loc[1] * aspect_inv[1];
 
   DEG_id_tag_update(&t->scene->id, ID_RECALC_COPY_ON_WRITE);
 }

More information about the Bf-blender-cvs mailing list