fix for possible buffer overflow in gpu_nodes_get_vertex_attributes() and hair_velocity_smoothing()

and a unlikely NULL pointer dereference in unlink_material_cb().

source/blender/blenkernel/intern/implicit.c

@@ -1513,7 +1513,7 @@ static void hair_velocity_smoothing(ClothModifierData *clmd, lfVector *lF, lfVec
 		i = HAIR_GRID_INDEX(lX[v], gmin, gmax, 0);
 		j = HAIR_GRID_INDEX(lX[v], gmin, gmax, 1);
 		k = HAIR_GRID_INDEX(lX[v], gmin, gmax, 2);
-		if (i < 0 || j < 0 || k < 0 || i > 10 || j >= 10 || k >= 10)
+		if (i < 0 || j < 0 || k < 0 || i > 10 || j > 10 || k > 10)
 			continue;
 
 		lF[v][0] += smoothfac * (grid[i][j][k].velocity[0] - lV[v][0]);

source/blender/blenkernel/intern/mball.c

@@ -1319,12 +1319,16 @@ static void addtovertices(VERTICES *vertices, VERTEX v)
 
 static void vnormal(const float point[3], PROCESS *p, float r_no[3])
 {
-	float delta = 0.2f * p->delta;
+	const float delta = 0.2f * p->delta;
-	float f = p->function(point[0], point[1], point[2]);
+	const float f = p->function(point[0], point[1], point[2]);
 
 	r_no[0] = p->function(point[0] + delta, point[1], point[2]) - f;
 	r_no[1] = p->function(point[0], point[1] + delta, point[2]) - f;
 	r_no[2] = p->function(point[0], point[1], point[2] + delta) - f;
+
+#if 1
+	normalize_v3(r_no);
+#else
 	f = normalize_v3(r_no);
 	
 	if (0) {
@@ -1343,6 +1347,7 @@ static void vnormal(const float point[3], PROCESS *p, float r_no[3])
 			normalize_v3(r_no);
 		}
 	}
+#endif
 }
 
 

source/blender/editors/animation/fmodifier_ui.c

@@ -167,7 +167,7 @@ static void draw_modifier__generator(uiLayout *layout, ID *id, FModifier *fcm, s
 					uiDefBut(block, LABEL, 1, "y =", 0, 0, 40, 20, NULL, 0.0, 0.0, 0, 0, "");
 				
 				/* coefficient */
-				uiDefButF(block, NUM, B_FMODIFIER_REDRAW, "", 0, 0, bwidth/2, 20, cp, -UI_FLT_MAX, UI_FLT_MAX,
+				uiDefButF(block, NUM, B_FMODIFIER_REDRAW, "", 0, 0, bwidth / 2, 20, cp, -UI_FLT_MAX, UI_FLT_MAX,
 				          10, 3, TIP_("Coefficient for polynomial"));
 				
 				/* 'x' param (and '+' if necessary) */

source/blender/editors/space_outliner/outliner_tools.c

@@ -158,13 +158,18 @@ static void unlink_material_cb(bContext *UNUSED(C), Scene *UNUSED(scene), TreeEl
 		totcol = mb->totcol;
 		matar = mb->mat;
 	}
+	else {
+		BLI_assert(0);
+	}
 
+	if (LIKELY(matar != NULL)) {
 		for (a = 0; a < totcol; a++) {
 			if (a == te->index && matar[a]) {
 				matar[a]->id.us--;
 				matar[a] = NULL;
 			}
 		}
+	}
 }
 
 static void unlink_texture_cb(bContext *UNUSED(C), Scene *UNUSED(scene), TreeElement *te,

source/blender/gpu/intern/gpu_codegen.c

@@ -1046,7 +1046,8 @@ static void gpu_nodes_get_vertex_attributes(ListBase *nodes, GPUVertexAttribs *a
 					}
 				}
 
-				if (a == attribs->totlayer && a < GPU_MAX_ATTRIB) {
+				if (a < GPU_MAX_ATTRIB) {
+					if (a == attribs->totlayer) {
 						input->attribid = attribs->totlayer++;
 						input->attribfirst = 1;
 
@@ -1055,11 +1056,13 @@ static void gpu_nodes_get_vertex_attributes(ListBase *nodes, GPUVertexAttribs *a
 						BLI_strncpy(attribs->layer[a].name, input->attribname,
 						            sizeof(attribs->layer[a].name));
 					}
-				else
+					else {
 						input->attribid = attribs->layer[a].attribid;
 					}
 				}
 			}
+		}
+	}
 }
 
 static void gpu_nodes_get_builtin_flag(ListBase *nodes, int *builtin)

source/blender/windowmanager/intern/wm_event_system.c

@@ -2802,7 +2802,7 @@ void wm_event_add_ghostevent(wmWindowManager *wm, wmWindow *win, int type, int U
 				event.y = evt->y = (win->sizey - 1) - cy;
 			}
 			
-			event.val= 0;
+			event.val = 0;
 			
 			/* Use prevx/prevy so we can calculate the delta later */
 			event.prevx = event.x - pd->deltaX;