System Information
Operating system: Fedora 32
Graphics card: GTX 1080
Blender Version
Broken: 2.91
Worked: N/A
Short description of error
Heap buffer overflow when using the boundary brush with a subsurf modifier
Exact steps for others to reproduce the error
- Delete the bottom face of the default cube
- Add a subsurf modifier. Level 3 or 4 should work
- Sculpt mode -> Boundary brush
- Click around a bit, moving the boundary
==524849==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000307bf8 at pc 0x0000075d3e43 bp 0x7ffcb535b270 sp 0x7ffcb535b260
READ of size 8 at 0x60d000307bf8 thread T0
#0 0x75d3e42 in SCULPT_vertex_all_face_sets_visible_get /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:419
#1 0x75defec in SCULPT_vertex_is_boundary /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:823
#2 0x76a9440 in sculpt_boundary_get_closest_boundary_vertex /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt_boundary.c:103
#3 0x76af9f8 in SCULPT_boundary_data_init /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt_boundary.c:491
#4 0x76c45de in SCULPT_do_boundary_brush /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt_boundary.c:854
#5 0x766864b in do_brush_action /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:5785
#6 0x767387c in do_tiled /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:6143
#7 0x76751dc in do_symmetrical_brush_actions /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:6224
#8 0x768923a in sculpt_stroke_update_step /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:7569
#9 0x75446b9 in paint_brush_stroke_add_step /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_stroke.c:620
#10 0x7550321 in paint_stroke_modal /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_stroke.c:1486
#11 0x474501d in wm_handler_operator_call /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_event_system.c:2030
#12 0x474dfa8 in wm_handlers_do_intern /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_event_system.c:2814
#13 0x474e24a in wm_handlers_do /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_event_system.c:2862
#14 0x4753913 in wm_event_do_handlers /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_event_system.c:3287
#15 0x47225d1 in WM_main /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm.c:475
#16 0x33c66d8 in main /home/hans/Documents/Blender-Git/blender/source/creator/creator.c:546
#17 0x7f3e603ae041 in __libc_start_main (/lib64/libc.so.6+0x27041)
#18 0x33c5a8d in _start (/home/hans/Documents/Blender-Git/build_linux_debug/bin/blender+0x33c5a8d)
0x60d000307bf8 is located 8 bytes to the left of 136-byte region [0x60d000307c00,0x60d000307c88)
allocated by thread T0 here:
#0 0x7f3e609c9837 in __interceptor_calloc (/lib64/libasan.so.6+0xb0837)
#1 0x1e793aa1 in MEM_lockfree_callocN /home/hans/Documents/Blender-Git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:235
#2 0x46125d3 in mesh_vert_poly_or_loop_map_create /home/hans/Documents/Blender-Git/blender/source/blender/blenkernel/intern/mesh_mapping.c:213
#3 0x4613257 in BKE_mesh_vert_poly_map_create /home/hans/Documents/Blender-Git/blender/source/blender/blenkernel/intern/mesh_mapping.c:266
#4 0x3804412 in sculpt_update_object /home/hans/Documents/Blender-Git/blender/source/blender/blenkernel/intern/paint.c:1583
#5 0x3805bfd in BKE_sculpt_update_object_for_edit /home/hans/Documents/Blender-Git/blender/source/blender/blenkernel/intern/paint.c:1708
#6 0x768166c in SCULPT_stroke_modifiers_check /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:6959
#7 0x76833cb in SCULPT_cursor_geometry_info_update /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:7104
#8 0x77ee014 in paint_cursor_sculpt_session_update_and_init /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_cursor.c:1364
#9 0x77f5c41 in paint_cursor_draw_3D_view_brush_cursor /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_cursor.c:1782
#10 0x77f703e in paint_draw_cursor /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/paint_cursor.c:1904
#11 0x4728ae6 in wm_paintcursor_draw /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_draw.c:121
#12 0x472fa83 in wm_draw_window_onscreen /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_draw.c:776
#13 0x4730069 in wm_draw_window /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_draw.c:827
#14 0x47314ad in wm_draw_update /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm_draw.c:1027
#15 0x47225e9 in WM_main /home/hans/Documents/Blender-Git/blender/source/blender/windowmanager/intern/wm.c:481
#16 0x33c66d8 in main /home/hans/Documents/Blender-Git/blender/source/creator/creator.c:546
#17 0x7f3e603ae041 in __libc_start_main (/lib64/libc.so.6+0x27041)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hans/Documents/Blender-Git/blender/source/blender/editors/sculpt_paint/sculpt.c:419 in SCULPT_vertex_all_face_sets_visible_get
Shadow bytes around the buggy address:
0x0c1a80058f20: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c1a80058f30: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a80058f40: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1a80058f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c1a80058f60: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c1a80058f70: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa[fa]
0x0c1a80058f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a80058f90: 00 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1a80058fa0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1a80058fb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a80058fc0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==524849==ABORTINGIn a non-debug build this resulted in a crash, so that might be the result too.