[Bf-blender-cvs] [de581a23022] master: Fix reading the 3rd value of 2D cursors when transforming

Campbell Barton noreply at git.blender.org
Mon Nov 8 07:02:08 CET 2021 

Commit: de581a2302297c5e235cd6dfc51760ac7225827c
Author: Campbell Barton
Date:   Mon Nov 8 15:14:21 2021 +1100
Branches: master
https://developer.blender.org/rBde581a2302297c5e235cd6dfc51760ac7225827c

Fix reading the 3rd value of 2D cursors when transforming

Out of bounds read and potential out-of-bounds write when transforming
the 2D cursor for image editor and sequencer.

While this didn't cause user visible bugs in my tests,
it's error prone and should be avoided.

Use TransData2D for 2D cursors.

===================================================================

M	source/blender/editors/transform/transform_convert_cursor.c

===================================================================

diff --git a/source/blender/editors/transform/transform_convert_cursor.c b/source/blender/editors/transform/transform_convert_cursor.c
index ed96eba7f6c..4846e8d2d1a 100644
--- a/source/blender/editors/transform/transform_convert_cursor.c
+++ b/source/blender/editors/transform/transform_convert_cursor.c
@@ -43,44 +43,51 @@
 static void createTransCursor_2D_impl(TransInfo *t, float cursor_location[2])
 {
   TransData *td;
+  TransData2D *td2d;
   {
     BLI_assert(t->data_container_len == 1);
     TransDataContainer *tc = t->data_container;
     tc->data_len = 1;
     td = tc->data = MEM_callocN(sizeof(TransData), "TransTexspace");
-    td->ext = tc->data_ext = MEM_callocN(sizeof(TransDataExtension), "TransTexspace");
+    td2d = tc->data_2d = MEM_callocN(tc->data_len * sizeof(TransData2D), "TransObData2D(Cursor)");
+    td->ext = tc->data_ext = MEM_callocN(sizeof(TransDataExtension), "TransCursorExt");
   }
 
   td->flag = TD_SELECTED;
 
+  td2d->loc2d = cursor_location;
+
   /* UV coords are scaled by aspects (see #UVsToTransData). This also applies for the Cursor in the
    * UV Editor which also means that for display and when the cursor coords are flushed
    * (recalcData_cursor_image), these are converted each time. */
-  cursor_location[0] = cursor_location[0] * t->aspect[0];
-  cursor_location[1] = cursor_location[1] * t->aspect[1];
+  td2d->loc[0] = cursor_location[0] * t->aspect[0];
+  td2d->loc[1] = cursor_location[1] * t->aspect[1];
+  td2d->loc[2] = 0.0f;
+
+  copy_v3_v3(td->center, td2d->loc);
 
-  copy_v3_v3(td->center, cursor_location);
   td->ob = NULL;
 
   unit_m3(td->mtx);
   unit_m3(td->axismtx);
   pseudoinverse_m3_m3(td->smtx, td->mtx, PSEUDOINVERSE_EPSILON);
 
-  td->loc = cursor_location;
-  copy_v3_v3(td->iloc, cursor_location);
+  td->loc = td2d->loc;
+  copy_v3_v3(td->iloc, td2d->loc);
 }
 
 static void recalcData_cursor_2D_impl(TransInfo *t)
 {
   TransDataContainer *tc = t->data_container;
   TransData *td = tc->data;
+  TransData2D *td2d = tc->data_2d;
   float aspect_inv[2];
 
   aspect_inv[0] = 1.0f / t->aspect[0];
   aspect_inv[1] = 1.0f / t->aspect[1];
 
-  td->loc[0] = td->loc[0] * aspect_inv[0];
-  td->loc[1] = td->loc[1] * aspect_inv[1];
+  td2d->loc2d[0] = td->loc[0] * aspect_inv[0];
+  td2d->loc2d[1] = td->loc[1] * aspect_inv[1];
 
   DEG_id_tag_update(&t->scene->id, ID_RECALC_COPY_ON_WRITE);
 }

More information about the Bf-blender-cvs mailing list