Commit: 39067824060f83d1da66df7bf8d779e9ebe7c76e
Author: Antony Riakiotakis
Date: Tue Sep 23 19:05:31 2014 +0200
Branches: master
https://developer.blender.org/rB39067824060f83d1da66df7bf8d779e9ebe7c76e
Fix possible buffer overflow in selection code. We want to copy the
number of selected data since the offset, not the offset!
===================================================================
M source/blender/editors/space_view3d/view3d_select.c
===================================================================
diff --git a/source/blender/editors/space_view3d/view3d_select.c
b/source/blender/editors/space_view3d/view3d_select.c
index 46ea520..c26ce27 100644
--- a/source/blender/editors/space_view3d/view3d_select.c
+++ b/source/blender/editors/space_view3d/view3d_select.c
@@ -1181,14 +1181,14 @@ static short selectbuffer_ret_hits_15(unsigned int
*UNUSED(buffer), const short
static short selectbuffer_ret_hits_9(unsigned int *buffer, const short hits15,
const short hits9)
{
const int offs = 4 * hits15;
- memcpy(buffer, buffer + offs, 4 * offs);
+ memcpy(buffer, buffer + offs, 4 * hits9);
return hits9;
}
static short selectbuffer_ret_hits_5(unsigned int *buffer, const short hits15,
const short hits9, const short hits5)
{
const int offs = 4 * hits15 + 4 * hits9;
- memcpy(buffer, buffer + offs, 4 * offs);
+ memcpy(buffer, buffer + offs, 4 * hits5);
return hits5;
}
_______________________________________________
Bf-blender-cvs mailing list
[email protected]
http://lists.blender.org/mailman/listinfo/bf-blender-cvs
