From f86c04272473f07e2e1d473f1c179a2326b0fd48 Mon Sep 17 00:00:00 2001 From: Julian Eisel Date: Wed, 15 Oct 2025 16:15:09 +0200 Subject: [PATCH] Fix: Undefined behavior when using UI list or tree-view scrollbar A scrollbar button would be cast to a number-slider button, and values from this memory used for scrollbar specific calculations. Looks like an error from 809499a3d0. In practice the error wouldn't be visible, since the actually used value would by chance be the intended value, from what I can tell. That's because `uiButNumberSlider.step_size` and `uiButScrollBar.visual_height` have the same memory offset within the button memory. --- source/blender/editors/interface/interface_handlers.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/blender/editors/interface/interface_handlers.cc b/source/blender/editors/interface/interface_handlers.cc index 4dcce033654..afdb51ebea0 100644 --- a/source/blender/editors/interface/interface_handlers.cc +++ b/source/blender/editors/interface/interface_handlers.cc @@ -5888,7 +5888,6 @@ static bool ui_numedit_but_SLI(uiBut *but, const bool snap, const bool shift) { - uiButNumberSlider *slider_but = reinterpret_cast(but); float cursor_x_range, f, tempf, softmin, softmax, softrange; int temp, lvalue; bool changed = false; @@ -5917,10 +5916,11 @@ static bool ui_numedit_but_SLI(uiBut *but, cursor_x_range = BLI_rctf_size_x(&but->rect); } else if (but->type == ButType::Scroll) { + uiButScrollBar *scroll_but = reinterpret_cast(but); const float size = (is_horizontal) ? BLI_rctf_size_x(&but->rect) : -BLI_rctf_size_y(&but->rect); cursor_x_range = size * (but->softmax - but->softmin) / - (but->softmax - but->softmin + slider_but->step_size); + (but->softmax - but->softmin + scroll_but->visual_height); } else { const float ofs = (BLI_rctf_size_y(&but->rect) / 2.0f);