Fix OpenSubdiv related buffer overrun with multiple FVar channels.

The existing code uses the input value count of the first channel
for all of them. If the first channel is the largest, it leads to
a crash-causing buffer overrun in memcpy below. Likely this was
left since the time when only one channel was supported.

As a crash fix, probably should go into 2.78

diff --git a/intern/opensubdiv/opensubdiv_capi.cc b/intern/opensubdiv/opensubdiv_capi.cc
index ab904953c70d94b57c82066436642175edebd944..52ce98fe74b0e18e85b6751eeb2429de6ea4c2ea 100644 (file)
--- a/intern/opensubdiv/opensubdiv_capi.cc
+++ b/intern/opensubdiv/opensubdiv_capi.cc
@@ -165,7 +165,7 @@ static void interpolate_fvar_data(OpenSubdiv::Far::TopologyRefiner& refiner,
        const int max_level = refiner.GetMaxLevel();
        size_t fvar_data_offset = 0, values_offset = 0;
        for (int channel = 0; channel < refiner.GetNumFVarChannels(); ++channel) {
-               const int num_values = refiner.GetLevel(0).GetNumFVarValues(0) * 2,
+               const int num_values = refiner.GetLevel(0).GetNumFVarValues(channel) * 2,
                          num_values_max = refiner.GetLevel(max_level).GetNumFVarValues(channel),
                          num_values_total = refiner.GetNumFVarValuesTotal(channel);
                if (num_values_total <= 0) {