From b211c944ec28f20d89f030749f2cf4a45b029242 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=BCtzel?= Date: Wed, 20 Nov 2024 16:48:04 +0100 Subject: [PATCH] Avoid heap-buffer-overflow if xdata of patch object is a row vector (bug #66466). * libinterp/corefcn/graphics.cc (patch::properties::update_fvc): The "xdata" property of a patch graphics object is allowed to be a row vector (in which case it is treated like a column vector). In this case, check whether colors are set per vertex after the input has been transformed to column vectors. This avoids a potential heap-buffer-overflow when creating the "facevertexcdata" of the patch graphics object. --- libinterp/corefcn/graphics.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libinterp/corefcn/graphics.cc b/libinterp/corefcn/graphics.cc index e455b6ce79..745ec3b6b8 100644 --- a/libinterp/corefcn/graphics.cc +++ b/libinterp/corefcn/graphics.cc @@ -9691,10 +9691,6 @@ patch::properties::update_fvc () return; } - bool pervertex = false; - if (ncv == nv) - pervertex = true; - bool isRGB = false; if (cd.ndims () == 3) isRGB = true; @@ -9711,6 +9707,10 @@ patch::properties::update_fvc () zd = zd.as_column (); } + bool pervertex = false; + if (ncv == nv) + pervertex = true; + dv(0) = nv * nf; if (zd.isempty ()) dv(1) = 2;