POV-Ray: Newsgroups: povray.beta-test: Memory corruption in POV-Ray 3.7.1 and UberPOV: Re: Memory corruption in POV-Ray 3.7.1 and UberPOV

POV-Ray : Newsgroups : povray.beta-test : Memory corruption in POV-Ray 3.7.1 and UberPOV : Re: Memory corruption in POV-Ray 3.7.1 and UberPOV		Server Time 20 Apr 2024 05:34:51 EDT (-0400)

From: Le Forgeron
Date: 4 Oct 2015 04:13:36
Message: <5610dfb0@news.povray.org>

Le 30/09/2015 20:37, clipka a écrit :
> Am 30.09.2015 um 19:55 schrieb Le_Forgeron:
> 
>> I have kind of good & bad news...
> ...
>> Using valgrind on povray (the scene is fast enough), there is somethin
g
>> fishy in the *new* spline code (no problem of memcheck with older
>> versions, such as the stable version).
> 
> First of all, thanks for digging this up.
> 
> If you feel like going the extra mile and conjuring up a hotfix for
> Cousin Ricky, I guess that would be welcome.
> 
> As for an official fix for the issue, my suggestion is to leave it be
> for now, as I'm currently doing a major overhaul of the splines code
> anyway, and this particular piece of code is already scheduled to be
> eradicated entirely.
> 

Just do not take another decade to finish it :-)

Here a patch for that issue, revising the condition to avoid the out of
bound access (moving from tree to tree2)

As the code is performed only during parse-time, I did not try to
optimize it more than not calling twice the size() function.

--- a/source/core/math/spline.cpp	Fri Sep 18 19:12:10 2015 +0200
+++ b/source/core/math/spline.cpp	Sun Oct 04 10:06:45 2015 +0200
@@ -670,7 +670,26 @@
     /* If p is already in spline, replace */
     /* The clause after the || is needed because findt returns
sp->SplineEntries.size()
      * if p is greater than OR EQUAL TO the highest par in the spline */

-    if(!sp->SplineEntries.empty() && ((sp->SplineEntries[i].par == p
)
|| (i == sp->SplineEntries.size() && sp->SplineEntries[i-1].par ==
 p)))
+    bool replace= false;
+    size_t splineSize = sp->SplineEntries.size();// might be needed
more than once, so compute and store
+    if (splineSize) // not empty
+    {
+      if (i==splineSize)
+      {// special case, i would be out of bound
+	if (sp->SplineEntries[i-1].par == p)
+	{
+	  replace = true;
+	}
+      }
+      else
+      {// normal branch, i is inbound
+	if (sp->SplineEntries[i].par == p)
+	{
+	  replace = true;
+	}
+      }
+    }
+    if (replace)
     {
         for(k=0; k<5; k++)
             sp->SplineEntries[i].vec[k] = v[k];

Post a reply to this message

Attachments:
Download 'us-ascii' (2 KB) Download 'tree.dot.png' (30 KB) Download 'tree2.dot.png' (27 KB)

Preview of image 'tree.dot.png'

Preview of image 'tree2.dot.png'