Old IDProperty bug, (from original commit r8916),
authorCampbell Barton <ideasman42@gmail.com>
Tue, 8 Mar 2011 03:14:59 +0000 (03:14 +0000)
committerCampbell Barton <ideasman42@gmail.com>
Tue, 8 Mar 2011 03:14:59 +0000 (03:14 +0000)
found crash while changing operator string size.

Shrinking arrays never worked right.
rather then "newlen * sizeof(...)", it would memcpy "newlen * oldlen * sizeof(...)" which always goes over the array bounds.

source/blender/blenkernel/intern/idprop.c

index 40d12e063206735120702329ea9f6aa406074eed..67be3e71101f26f0113fa6fbb3ea67bd6cf2ea80 100644 (file)
@@ -240,7 +240,7 @@ void IDP_ResizeArray(IDProperty *prop, int newlen)
        else {
                /* newlen is smaller*/
                idp_resize_group_array(prop, newlen, newarr);
-               memcpy(newarr, prop->data.pointer, newlen*prop->len*idp_size_table[(int)prop->subtype]);
+               memcpy(newarr, prop->data.pointer, newlen*idp_size_table[(int)prop->subtype]);
        }
 
        MEM_freeN(prop->data.pointer);