Bugfix #25437

Crash in Bezier animation (inserting keys on control points in
curve object). The animation rna paths were not fixed after an
editmode session, which got fixed 2 weeks ago, but for all older
binaries the issue can still pop up.

The crash happened because the RNA array-itterator was not doing
a boundary check, even whilst the array size was passed on to the
itterator callbacks. With rna then writing far outside of valid
memory, very bad and unpredictable corruptions happen.

I've added a range check now, and a decent print to denote the
issue. An assert quit is useless, since a tab-tab on curve objects
will fix the channels nicely.

Example of warning print:
Array itterator out of range: Spline_bezier_points_lookup_int (index 30 range 2)

diff --git a/source/blender/makesrna/intern/makesrna.c b/source/blender/makesrna/intern/makesrna.c
index c8e7faf..15dbe48 100644 (file)
--- a/source/blender/makesrna/intern/makesrna.c
+++ b/source/blender/makesrna/intern/makesrna.c
@@ -971,7 +971,10 @@ static char *rna_def_property_lookup_int_func(FILE *f, StructRNA *srna, Property
 
        if(strcmp(nextfunc, "rna_iterator_array_next") == 0) {
                fprintf(f, "            ArrayIterator *internal= iter.internal;\n");
-               fprintf(f, "            if(internal->skip) {\n");
+               fprintf(f, "            if(index < 0 || index >= internal->length) {\n");
+               fprintf(f, "                    printf(\"Array itterator out of range: %%s (index %%d range %%d)\\n\", __func__, index, internal->length);  \n");
+               fprintf(f, "            }\n");
+               fprintf(f, "            else if(internal->skip) {\n");
                fprintf(f, "                    while(index-- > 0) {\n");
                fprintf(f, "                            do {\n");
                fprintf(f, "                                    internal->ptr += internal->itemsize;\n");
@@ -2389,6 +2392,7 @@ static void rna_generate(BlenderRNA *brna, FILE *f, const char *filename, const
                                  "#define RNA_RUNTIME\n\n");
 
        fprintf(f, "#include <float.h>\n");
+       fprintf(f, "#include <stdio.h>\n");
        fprintf(f, "#include <limits.h>\n");
        fprintf(f, "#include <string.h>\n\n");
        fprintf(f, "#include <stddef.h>\n\n");

diff --git a/source/blender/makesrna/intern/rna_access.c b/source/blender/makesrna/intern/rna_access.c
index 8d596ac..5dba0a4 100644 (file)
--- a/source/blender/makesrna/intern/rna_access.c
+++ b/source/blender/makesrna/intern/rna_access.c
@@ -2828,7 +2828,8 @@ void rna_iterator_array_begin(CollectionPropertyIterator *iter, void *ptr, int i
        internal->endptr= ((char*)ptr)+length*itemsize;
        internal->itemsize= itemsize;
        internal->skip= skip;
-
+       internal->length= length;
+       
        iter->internal= internal;
        iter->valid= (internal->ptr != internal->endptr);
 

diff --git a/source/blender/makesrna/intern/rna_internal.h b/source/blender/makesrna/intern/rna_internal.h
index cc1771a..90c5a55 100644 (file)
--- a/source/blender/makesrna/intern/rna_internal.h
+++ b/source/blender/makesrna/intern/rna_internal.h
@@ -324,6 +324,7 @@ typedef struct ArrayIterator {
        char *endptr;
        void *free_ptr; /* will be free'd if set */
        int itemsize;
+       int length;
        IteratorSkipFunc skip;
 } ArrayIterator;