[Bf-committers] Patch 6395 Minor bug in source/blender/blenkernel/intern/material.c

Early Ehlinger early at respower.com
Thu Mar 22 13:50:05 CET 2007 

Hi Campbell,

It was around line 411 I believe.  The original code from 
give_current_material() looked like this:

        short *totcolp= give_totcolp(ob);

        /* check for inconsistancy */
        if(*totcolp < ob->totcol)
            ob->totcol= *totcolp;

The *totcolp in the if statement caused the crash, since totcolp was NULL.

Upon further inspection of material.c, it looks like there is at least 
one more unchecked usage of its return:

in delete_material_index(), around line 783, (*totcolp)--

-- Early Ehlinger, President, ResPower, Inc.

Campbell Barton wrote:
> 2 bugs that happened because of missing NULL checks with 
> give_totcolp() have been fixed in the last few days, Do you have a 
> line number for the crash?
>
> Early Ehlinger wrote:
>> Just yesterday I had a .blend file become corrupt using 2.43. Not 
>> sure exactly how that happened.
>>
>> Anyway, when I tried to open the .blend, Blender would print a 
>> warning that some data had been lost and then crash. It was an access 
>> violation reading 0x0000000, which I believe translates to segfault 
>> on Linux.
>>
>> So I fired up a debug build to see where it was happening.
>>
>> Turns out, it was source/blender/blenkernel/intern/material.c, inside 
>> give_current_material( )
>>
>> give_current_material() calls give_totcolp(), but doesn't check the 
>> result. In this case, presumably because the .blend file was somewhat 
>> corrupt, give_totcolp returned NULL, and give_current_material 
>> promptly dereferenced the pointer. WAMMO! Blender -> dead.
>>
>> Anyway, here's a patch to simply propagate the NULL return from 
>> give_totcolp up the chain, which was enough to allow me to recover 
>> the rest of the information from the .blend file.
>>
>> Unfortunately, I didn't think to keep the broken .blend to 
>> demonstrate the crash and the fix; I was so happy to have recovered 
>> it that I stupidly saved over the broken one with the recovered one.
>>
>> -- Early Ehlinger, President, ResPower, Inc.
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at projects.blender.org
>> http://projects.blender.org/mailman/listinfo/bf-committers
>>
>
>

More information about the Bf-committers mailing list