From 4333e070b43a4bf4280cf4a6ea1ebb7e2e875ef5 Mon Sep 17 00:00:00 2001
From: Jeroen Bakker <jeroen@blender.org>
Date: Thu, 7 Aug 2025 15:26:42 +0200
Subject: [PATCH] Fix: SubDiv: Out of bound write loose normals

Updating loose normals leads to out of bound writes on the GPU.
The reason is that normals are float3, but the code assumed
they were float4.

Pull Request: https://projects.blender.org/blender/blender/pulls/144128
---
 .../draw/intern/mesh_extractors/extract_mesh_vbo_lnor.cc      | 4 ++--
 source/blender/gpu/vulkan/vk_vertex_buffer.cc                 | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/source/blender/draw/intern/mesh_extractors/extract_mesh_vbo_lnor.cc b/source/blender/draw/intern/mesh_extractors/extract_mesh_vbo_lnor.cc
index 0fecba6ab05..66e86da5206 100644
--- a/source/blender/draw/intern/mesh_extractors/extract_mesh_vbo_lnor.cc
+++ b/source/blender/draw/intern/mesh_extractors/extract_mesh_vbo_lnor.cc
@@ -299,11 +299,11 @@ static void update_loose_normals(const MeshRenderData &mr,
 
   /* Default to zeroed attribute. The overlay shader should expect this and render engines should
    * never draw loose geometry. */
-  const float4 default_normal(0.0f, 0.0f, 0.0f, 0.0f);
+  const float3 default_normal(0.0f, 0.0f, 0.0f);
   for (const int i : IndexRange::from_begin_end(loose_geom_start, vbo_size)) {
     /* TODO(fclem): This has HORRENDOUS performance. Prefer clearing the buffer on device with
      * something like glClearBufferSubData. */
-    GPU_vertbuf_update_sub(&lnor, i * sizeof(float4), sizeof(float4), &default_normal);
+    GPU_vertbuf_update_sub(&lnor, i * sizeof(float3), sizeof(float3), &default_normal);
   }
 }
 
diff --git a/source/blender/gpu/vulkan/vk_vertex_buffer.cc b/source/blender/gpu/vulkan/vk_vertex_buffer.cc
index 1ec6b8b4820..f614128d058 100644
--- a/source/blender/gpu/vulkan/vk_vertex_buffer.cc
+++ b/source/blender/gpu/vulkan/vk_vertex_buffer.cc
@@ -73,6 +73,8 @@ void VKVertexBuffer::update_sub(uint start_offset, uint data_size_in_bytes, cons
     /* Allocating huge buffers can fail, in that case we skip copying data. */
     return;
   }
+  BLI_assert_msg(start_offset + data_size_in_bytes <= buffer_.size_in_bytes(),
+                 "Out of bound write to vertex buffer");
   if (buffer_.is_mapped()) {
     buffer_.update_sub_immediately(start_offset, data_size_in_bytes, data);
   }