From 6ecef4d176feaf7c024d22fb426dcf621f6bb2ef Mon Sep 17 00:00:00 2001 From: Germano Cavalcante Date: Tue, 17 Oct 2023 11:46:10 -0300 Subject: [PATCH] Fix crash when Transform Extend multiple NLA strips `tdn` was being incremented even though it wasn't used, which led to changes in memory outside the HEAP limits. --- source/blender/editors/transform/transform_convert_nla.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source/blender/editors/transform/transform_convert_nla.cc b/source/blender/editors/transform/transform_convert_nla.cc index 3a35e84cebf..7751c7c6aee 100644 --- a/source/blender/editors/transform/transform_convert_nla.cc +++ b/source/blender/editors/transform/transform_convert_nla.cc @@ -621,13 +621,15 @@ static void createTransNlaData(bContext *C, TransInfo *t) if (tdn->handle == 2) { tdn += 2; } - else { + else if (tdn->handle) { tdn++; } } } } + BLI_assert(tdn <= (((TransDataNla *)tc->custom.type.data) + tc->data_len)); + /* cleanup temp list */ ANIM_animdata_freelist(&anim_data); }