[Bf-committers] "off by one" error in renderdatabase.c?
Ton Roosendaal
ton at blender.org
Thu Mar 3 17:10:39 CET 2005
Hi,
Its in my code, will check... later!
-Ton-
On 2 Mar, 2005, at 18:39, Martin Dickopp wrote:
> Hello,
>
> I have a Blender file which crashes Blender (2.36 compiled from
> official
> source and CVS HEAD as of 02-Mar-2005 18:00:06 CET) when a specific
> frame is rendered. Although I can reproduce the problem only with 64
> bit
> GNU/Linux (on an AMD64 machine), but not with 32 bit GNU/Linux (on an
> x86 machine), I think that the problem is not 64 bit specific. See my
> analysis below.
>
>
> First of all, how to reproduce it: Download the file
>
> http://www.zero-based.org/blender-bug-report/crash.blend
>
> and render frame 726 on an AMD64 GNU/Linux system. The following
> messages appear
>
> Memoryblock free: attempt to free illegal pointer
> Memoryblock free: attempt to free illegal pointer
> Memoryblock free: pointer not in memlist
> Memoryblock free: pointer not in memlist
> Memoryblock free: pointer not in memlist
> Memoryblock free: attempt to free illegal pointer
>
> and then Blender crashes with a segmentation fault.
>
>
> I think I know what is causing this. By looking
> how the function RE_freeRotateBlenderScene in
> source/blender/renderconverter/intern/convertBlenderScene.c
> frees the elements of the arrays R.blove, R.blovl and R.bloha,
> I conclude that these arrays are supposed to be terminated by
> an element which is a null pointer.
>
> If I now look at source/blender/render/intern/source/renderdatabase.c,
> it contains the following code (slightly shortened):
>
> VlakRen *RE_findOrAddVlak(int nr)
> {
> VlakRen *v, **temp;
> static int rblovllen=TABLEINITSIZE;
> int a;
>
> /* ... */
> a= nr>>8;
>
> if (a>=rblovllen){
> /* ... allocate more memory and fill it with zeros.
> */
> }
>
> v= R.blovl[a];
> if(v==0) {
> v= (VlakRen
> *)MEM_callocN(256*sizeof(VlakRen),"findOrAddVlak");
> R.blovl[a]= v;
> }
> v+= (nr & 255);
> return v;
> }
>
> Now image that the variable a gets the value rblovllen-1. In this case,
> new memory is not yet allocated, but all the rblovllen members of
> R.blovl (with indices 0 to rblovllen-1) are non-null pointers.
> Therefore, R.blovl is not null terminated until further calls to
> RE_findOrAddVlak cause the value of a to become rblovllen.
> RE_freeRotateBlenderScene barfs if it is called in this situation.
>
> R.blove and R.bloha have the same problem. I therefore propose to apply
> the attached patch. It fixes the problem for me.
>
> Thank you very much,
> Martin
> <offbyone.diff>_______________________________________________
> Bf-committers mailing list
> Bf-committers at projects.blender.org
> http://projects.blender.org/mailman/listinfo/bf-committers
>
------------------------------------------------------------------------
--
Ton Roosendaal Blender Foundation ton at blender.org
http://www.blender.org
More information about the Bf-committers
mailing list