From 4d8dad056cd167db4e9fcf388f47588f3620b0f3 Mon Sep 17 00:00:00 2001 From: Sean Kim Date: Tue, 5 Mar 2024 15:50:40 +0100 Subject: [PATCH] Fix #119070: Fix crash in sculpt menu lasso tool This PR adds an extra check to exit from sculpt gesture code early to avoid attempting to allocate a 3 * (UINT_MAX - 1) amount of elements inside the trim gesture code. Pull Request: https://projects.blender.org/blender/blender/pulls/119073 --- source/blender/editors/sculpt_paint/paint_mask.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source/blender/editors/sculpt_paint/paint_mask.cc b/source/blender/editors/sculpt_paint/paint_mask.cc index 1e4576cdd43..ed061b1f546 100644 --- a/source/blender/editors/sculpt_paint/paint_mask.cc +++ b/source/blender/editors/sculpt_paint/paint_mask.cc @@ -729,6 +729,12 @@ static SculptGestureContext *sculpt_gesture_init_from_lasso(bContext *C, wmOpera return nullptr; } + /* A single point is equally as invalid for a lasso gesture as no points. */ + if (mcoords_len == 1) { + MEM_freeN((void *)mcoords); + return nullptr; + } + sgcontext->lasso.projviewobjmat = ED_view3d_ob_project_mat_get(sgcontext->vc.rv3d, sgcontext->vc.obact); BLI_lasso_boundbox(&sgcontext->lasso.boundbox, mcoords, mcoords_len); @@ -1528,6 +1534,7 @@ static void sculpt_gesture_trim_geometry_generate(SculptGestureContext *sgcontex ARegion *region = vc->region; const int tot_screen_points = sgcontext->tot_gesture_points; + BLI_assert(tot_screen_points > 1); float(*screen_points)[2] = sgcontext->gesture_points; const int trim_totverts = tot_screen_points * 2;