From 3654580b807381b4eb6248380a1e64359a99b403 Mon Sep 17 00:00:00 2001 From: Arthur Mendes Date: Wed, 7 Oct 2020 15:27:46 -0300 Subject: [PATCH] Fix an out-of-bounds read in the deform animator If the frame froze right before the end of an animation, the frameptr could become a value that, when used as an index, would be an index after the end of the frame vertex --- src/client/graphical/deform_animator.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/client/graphical/deform_animator.cpp b/src/client/graphical/deform_animator.cpp index ceef8756..9716ae93 100644 --- a/src/client/graphical/deform_animator.cpp +++ b/src/client/graphical/deform_animator.cpp @@ -29,7 +29,7 @@ void DeformAnimator::advance(double ms) } this->dirtyFrame = true; - _frameptr += (ms / frametime); + _frameptr = std::min(_frameptr + (ms / frametime), double(avector.size() - 1)); } void DeformAnimator::runAnimation(const char* name) { @@ -40,7 +40,6 @@ void DeformAnimator::runAnimation(const char* name) VertexDataGroup DeformAnimator::getCurrentFrame() { - // TODO: interpolate auto& avector = _animation_frames[_animation_name]; auto currptr = unsigned(_frameptr); @@ -49,6 +48,7 @@ VertexDataGroup DeformAnimator::getCurrentFrame() /* No frame after here? Return the last one */ if (nextptr >= _frameptr + 1) return avector[int(_frameptr)]; + /// Interpolate frames auto vdcurrent = avector[int(_frameptr)]; auto vdnext = avector[int(nextptr)]; auto framemix = double(_frameptr - currptr);