[Bf-blender-cvs] [4f8c15daf4c] blender-v3.3-release: Fix logical errors in RNA_path_array_index_token_find

[Campbell Barton]

Commit: 4f8c15daf4cde7d55e2a7bc59287b6e795d934d0
Author: Campbell Barton
Date:   Fri Aug 19 10:44:51 2022 +1000
Branches: blender-v3.3-release
https://developer.blender.org/rB4f8c15daf4cde7d55e2a7bc59287b6e795d934d0

Fix logical errors in RNA_path_array_index_token_find

This function never succeeded as an off by one error checking the last
character always indexed the null byte.
The 'for' loop was broken as of [0] since the unsigned number could wrap
around with some RNA paths causing out of bounds memory access.

This is an example where tests would have caught the problem early on,
RNA path tests are planned as part of D15558.

[0]: 11b4d0a3c3787a90e6f1631f7735d0968afbb20a

===================================================================

M	source/blender/makesrna/intern/rna_path.cc

===================================================================

diff --git a/source/blender/makesrna/intern/rna_path.cc b/source/blender/makesrna/intern/rna_path.cc
index 02544b177ef..58e9a7bde82 100644
--- a/source/blender/makesrna/intern/rna_path.cc
+++ b/source/blender/makesrna/intern/rna_path.cc
@@ -704,12 +704,16 @@ const char *RNA_path_array_index_token_find(const char *rna_path, const Property
 
   /* Valid 'array part' of a rna path can only have '[', ']' and digit characters.
    * It may have more than one of those (e.g. `[12][1]`) in case of multi-dimensional arrays. */
-  size_t rna_path_len = (size_t)strlen(rna_path);
+  if (UNLIKELY(rna_path[0] == '\0')) {
+    return NULL;
+  }
+  size_t rna_path_len = (size_t)strlen(rna_path) - 1;
   if (rna_path[rna_path_len] != ']') {
     return NULL;
   }
+
   const char *last_valid_index_token_start = NULL;
-  for (rna_path_len--; rna_path_len >= 0; rna_path_len--) {
+  while (rna_path_len--) {
     switch (rna_path[rna_path_len]) {
       case '[':
         if (rna_path_len <= 0 || rna_path[rna_path_len - 1] != ']') {