Old IDProperty bug, (from original commit r8916),

found crash while changing operator string size. Shrinking arrays never worked right. rather then "newlen * sizeof(...)", it would memcpy "newlen * oldlen * sizeof(...)" which always goes over the array bounds.
2011-03-08 03:14:59 +00:00
parent b9db9e147e
commit 97edca3bc9
1 changed files with 1 additions and 1 deletions
--- a/source/blender/blenkernel/intern/idprop.c
+++ b/source/blender/blenkernel/intern/idprop.c
@@ -240,7 +240,7 @@ void IDP_ResizeArray(IDProperty *prop, int newlen)
 	else {
 		/* newlen is smaller*/
 		idp_resize_group_array(prop, newlen, newarr);
-		memcpy(newarr, prop->data.pointer, newlen*prop->len*idp_size_table[(int)prop->subtype]);
+		memcpy(newarr, prop->data.pointer, newlen*idp_size_table[(int)prop->subtype]);
 	}

 	MEM_freeN(prop->data.pointer);