[Bf-blender-cvs] [62ce0c60cd5] blender-v3.0-release: Fix meta-ball bound-box calculation reading past buffer bounds

Tue Jan 11 09:32:59 CET 2022

Commit: 62ce0c60cd5fc66d640ac3e221576b2a4ee9fd29
Author: Campbell Barton
Date:   Wed Dec 15 23:39:53 2021 +1100
Branches: blender-v3.0-release
https://developer.blender.org/rB62ce0c60cd5fc66d640ac3e221576b2a4ee9fd29

Fix meta-ball bound-box calculation reading past buffer bounds

This broke "test_undo.view3d_multi_mode_select" test in
"lib/tests/ui_simulate" and is likely exposed by recent changes to
bounding box calculation.

The missing check for DL_INDEX4 dates back to code from 2002 which
intended to check this but was checking for DL_INDEX3 twice
which got removed as part of a cleaned up.

This could be hidden from memory checking tools as meta-balls
over-allocate vertex arrays.

===================================================================

M	source/blender/blenkernel/intern/displist.cc

===================================================================

diff --git a/source/blender/blenkernel/intern/displist.cc b/source/blender/blenkernel/intern/displist.cc
index 73aea944665..5e553112c54 100644
--- a/source/blender/blenkernel/intern/displist.cc
+++ b/source/blender/blenkernel/intern/displist.cc
@@ -1534,7 +1534,7 @@ void BKE_displist_minmax(const ListBase *dispbase, float min[3], float max[3])
   bool doit = false;
 
   LISTBASE_FOREACH (const DispList *, dl, dispbase) {
-    const int tot = (dl->type == DL_INDEX3) ? dl->nr : dl->nr * dl->parts;
+    const int tot = (ELEM(dl->type, DL_INDEX3, DL_INDEX4)) ? dl->nr : dl->nr * dl->parts;
     for (const int i : IndexRange(tot)) {
       minmax_v3v3_v3(min, max, &dl->verts[i * 3]);
     }

