From e50d56b4c679bf1d7e94c1a5eb3b252d298f86fe Mon Sep 17 00:00:00 2001
From: Sergey Lapin <slapinid@gmail.com>
Date: Wed, 5 Sep 2018 23:29:25 +0300
Subject: [PATCH] MeshDataTool memory corruption fix

Fix for incorrect types used in MeshDataTool for bones and weights.

If your mesh contains these memory accesses get OOB and might crash
the application

Closes #21713
---
 scene/resources/mesh_data_tool.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/scene/resources/mesh_data_tool.cpp b/scene/resources/mesh_data_tool.cpp
index 67323039256..a5449e1fe86 100644
--- a/scene/resources/mesh_data_tool.cpp
+++ b/scene/resources/mesh_data_tool.cpp
@@ -79,9 +79,9 @@ Error MeshDataTool::create_from_surface(const Ref<ArrayMesh> &p_mesh, int p_surf
 	if (arrays[Mesh::ARRAY_COLOR].get_type() != Variant::NIL)
 		col = arrays[Mesh::ARRAY_COLOR].operator PoolVector<Color>().read();
 
-	PoolVector<real_t>::Read bo;
+	PoolVector<int>::Read bo;
 	if (arrays[Mesh::ARRAY_BONES].get_type() != Variant::NIL)
-		bo = arrays[Mesh::ARRAY_BONES].operator PoolVector<real_t>().read();
+		bo = arrays[Mesh::ARRAY_BONES].operator PoolVector<int>().read();
 
 	PoolVector<real_t>::Read we;
 	if (arrays[Mesh::ARRAY_WEIGHTS].get_type() != Variant::NIL)
@@ -194,7 +194,7 @@ Error MeshDataTool::commit_to_surface(const Ref<ArrayMesh> &p_mesh) {
 	PoolVector<Vector2> u;
 	PoolVector<Vector2> u2;
 	PoolVector<Color> c;
-	PoolVector<real_t> b;
+	PoolVector<int> b;
 	PoolVector<real_t> w;
 	PoolVector<int> in;
 
@@ -233,7 +233,7 @@ Error MeshDataTool::commit_to_surface(const Ref<ArrayMesh> &p_mesh) {
 			col = c.write();
 		}
 
-		PoolVector<real_t>::Write bo;
+		PoolVector<int>::Write bo;
 		if (format & Mesh::ARRAY_FORMAT_BONES) {
 			b.resize(vcount * 4);
 			bo = b.write();