Bugfix #25437

Crash in Bezier animation (inserting keys on control points in
curve object). The animation rna paths were not fixed after an
editmode session, which got fixed 2 weeks ago, but for all older
binaries the issue can still pop up.

The crash happened because the RNA array-itterator was not doing
a boundary check, even whilst the array size was passed on to the
itterator callbacks. With rna then writing far outside of valid
memory, very bad and unpredictable corruptions happen.

I've added a range check now, and a decent print to denote the
issue. An assert quit is useless, since a tab-tab on curve objects
will fix the channels nicely.

Example of warning print:
Array itterator out of range: Spline_bezier_points_lookup_int (index 30 range 2)

diff --git a/source/blender/makesrna/intern/makesrna.c b/source/blender/makesrna/intern/makesrna.c
index c8e7fafbf5b873ca3c85e0dfeaeee8aea51de0ca..15dbe489f4ef44f0102d57ffc410f0f05e1611b5 100644 (file)
--- a/source/blender/makesrna/intern/makesrna.c
+++ b/source/blender/makesrna/intern/makesrna.c
@@ -971,7 +971,10 @@ static char *rna_def_property_lookup_int_func(FILE *f, StructRNA *srna, Property
 
        if(strcmp(nextfunc, "rna_iterator_array_next") == 0) {
                fprintf(f, "            ArrayIterator *internal= iter.internal;\n");
-               fprintf(f, "            if(internal->skip) {\n");
+               fprintf(f, "            if(index < 0 || index >= internal->length) {\n");
+               fprintf(f, "                    printf(\"Array itterator out of range: %%s (index %%d range %%d)\\n\", __func__, index, internal->length);  \n");
+               fprintf(f, "            }\n");
+               fprintf(f, "            else if(internal->skip) {\n");
                fprintf(f, "                    while(index-- > 0) {\n");
                fprintf(f, "                            do {\n");
                fprintf(f, "                                    internal->ptr += internal->itemsize;\n");
@@ -2389,6 +2392,7 @@ static void rna_generate(BlenderRNA *brna, FILE *f, const char *filename, const
                                  "#define RNA_RUNTIME\n\n");
 
        fprintf(f, "#include <float.h>\n");
+       fprintf(f, "#include <stdio.h>\n");
        fprintf(f, "#include <limits.h>\n");
        fprintf(f, "#include <string.h>\n\n");
        fprintf(f, "#include <stddef.h>\n\n");

diff --git a/source/blender/makesrna/intern/rna_access.c b/source/blender/makesrna/intern/rna_access.c
index 8d596ac50259839f9384e0c4189c7a15fc16f8e4..5dba0a41a023e5f598d437082771b2184aeac38f 100644 (file)
--- a/source/blender/makesrna/intern/rna_access.c
+++ b/source/blender/makesrna/intern/rna_access.c
@@ -2828,7 +2828,8 @@ void rna_iterator_array_begin(CollectionPropertyIterator *iter, void *ptr, int i
        internal->endptr= ((char*)ptr)+length*itemsize;
        internal->itemsize= itemsize;
        internal->skip= skip;
-
+       internal->length= length;
+       
        iter->internal= internal;
        iter->valid= (internal->ptr != internal->endptr);
 

diff --git a/source/blender/makesrna/intern/rna_internal.h b/source/blender/makesrna/intern/rna_internal.h
index cc1771adf8deef474e4eb9ec1519f160c861fa81..90c5a55522176f02307df58519ae29e1cc9eadce 100644 (file)
--- a/source/blender/makesrna/intern/rna_internal.h
+++ b/source/blender/makesrna/intern/rna_internal.h
@@ -324,6 +324,7 @@ typedef struct ArrayIterator {
        char *endptr;
        void *free_ptr; /* will be free'd if set */
        int itemsize;
+       int length;
        IteratorSkipFunc skip;
 } ArrayIterator;