fix for possible buffer overflow in gpu_nodes_get_vertex_attributes() and hair_veloci...
authorCampbell Barton <ideasman42@gmail.com>
Thu, 1 Nov 2012 09:56:18 +0000 (09:56 +0000)
committerCampbell Barton <ideasman42@gmail.com>
Thu, 1 Nov 2012 09:56:18 +0000 (09:56 +0000)
and a unlikely NULL pointer dereference in unlink_material_cb().

source/blender/blenkernel/intern/implicit.c
source/blender/blenkernel/intern/mball.c
source/blender/editors/animation/fmodifier_ui.c
source/blender/editors/space_outliner/outliner_tools.c
source/blender/gpu/intern/gpu_codegen.c
source/blender/windowmanager/intern/wm_event_system.c

index 39dcd73..92ac7b6 100644 (file)
@@ -1513,7 +1513,7 @@ static void hair_velocity_smoothing(ClothModifierData *clmd, lfVector *lF, lfVec
                i = HAIR_GRID_INDEX(lX[v], gmin, gmax, 0);
                j = HAIR_GRID_INDEX(lX[v], gmin, gmax, 1);
                k = HAIR_GRID_INDEX(lX[v], gmin, gmax, 2);
-               if (i < 0 || j < 0 || k < 0 || i > 10 || j >= 10 || k >= 10)
+               if (i < 0 || j < 0 || k < 0 || i > 10 || j > 10 || k > 10)
                        continue;
 
                lF[v][0] += smoothfac * (grid[i][j][k].velocity[0] - lV[v][0]);
index 592101f..5da7ff8 100644 (file)
@@ -1319,12 +1319,16 @@ static void addtovertices(VERTICES *vertices, VERTEX v)
 
 static void vnormal(const float point[3], PROCESS *p, float r_no[3])
 {
-       float delta = 0.2f * p->delta;
-       float f = p->function(point[0], point[1], point[2]);
+       const float delta = 0.2f * p->delta;
+       const float f = p->function(point[0], point[1], point[2]);
 
        r_no[0] = p->function(point[0] + delta, point[1], point[2]) - f;
        r_no[1] = p->function(point[0], point[1] + delta, point[2]) - f;
        r_no[2] = p->function(point[0], point[1], point[2] + delta) - f;
+
+#if 1
+       normalize_v3(r_no);
+#else
        f = normalize_v3(r_no);
        
        if (0) {
@@ -1343,6 +1347,7 @@ static void vnormal(const float point[3], PROCESS *p, float r_no[3])
                        normalize_v3(r_no);
                }
        }
+#endif
 }
 
 
index a591b51..79a4c9a 100644 (file)
@@ -167,7 +167,7 @@ static void draw_modifier__generator(uiLayout *layout, ID *id, FModifier *fcm, s
                                        uiDefBut(block, LABEL, 1, "y =", 0, 0, 40, 20, NULL, 0.0, 0.0, 0, 0, "");
                                
                                /* coefficient */
-                               uiDefButF(block, NUM, B_FMODIFIER_REDRAW, "", 0, 0, bwidth/2, 20, cp, -UI_FLT_MAX, UI_FLT_MAX,
+                               uiDefButF(block, NUM, B_FMODIFIER_REDRAW, "", 0, 0, bwidth / 2, 20, cp, -UI_FLT_MAX, UI_FLT_MAX,
                                          10, 3, TIP_("Coefficient for polynomial"));
                                
                                /* 'x' param (and '+' if necessary) */
index 5fb9780..3b83279 100644 (file)
@@ -158,11 +158,16 @@ static void unlink_material_cb(bContext *UNUSED(C), Scene *UNUSED(scene), TreeEl
                totcol = mb->totcol;
                matar = mb->mat;
        }
+       else {
+               BLI_assert(0);
+       }
 
-       for (a = 0; a < totcol; a++) {
-               if (a == te->index && matar[a]) {
-                       matar[a]->id.us--;
-                       matar[a] = NULL;
+       if (LIKELY(matar != NULL)) {
+               for (a = 0; a < totcol; a++) {
+                       if (a == te->index && matar[a]) {
+                               matar[a]->id.us--;
+                               matar[a] = NULL;
+                       }
                }
        }
 }
index b90e67a..b4490e6 100644 (file)
@@ -1046,17 +1046,20 @@ static void gpu_nodes_get_vertex_attributes(ListBase *nodes, GPUVertexAttribs *a
                                        }
                                }
 
-                               if (a == attribs->totlayer && a < GPU_MAX_ATTRIB) {
-                                       input->attribid = attribs->totlayer++;
-                                       input->attribfirst = 1;
-
-                                       attribs->layer[a].type = input->attribtype;
-                                       attribs->layer[a].attribid = input->attribid;
-                                       BLI_strncpy(attribs->layer[a].name, input->attribname,
-                                               sizeof(attribs->layer[a].name));
+                               if (a < GPU_MAX_ATTRIB) {
+                                       if (a == attribs->totlayer) {
+                                               input->attribid = attribs->totlayer++;
+                                               input->attribfirst = 1;
+
+                                               attribs->layer[a].type = input->attribtype;
+                                               attribs->layer[a].attribid = input->attribid;
+                                               BLI_strncpy(attribs->layer[a].name, input->attribname,
+                                                           sizeof(attribs->layer[a].name));
+                                       }
+                                       else {
+                                               input->attribid = attribs->layer[a].attribid;
+                                       }
                                }
-                               else
-                                       input->attribid = attribs->layer[a].attribid;
                        }
                }
        }
index ffcbf39..e8e6a02 100644 (file)
@@ -2802,7 +2802,7 @@ void wm_event_add_ghostevent(wmWindowManager *wm, wmWindow *win, int type, int U
                                event.y = evt->y = (win->sizey - 1) - cy;
                        }
                        
-                       event.val= 0;
+                       event.val = 0;
                        
                        /* Use prevx/prevy so we can calculate the delta later */
                        event.prevx = event.x - pd->deltaX;