Heap buffer overflow in Animation::_find()

[jamie-pate]

Tested versions

• Reproducible in 4.4.1-stable

System information

Godot v4.4.1.stable (49a5bc7) - Windows 11 (build 22631) - Multi-window, 1 monitor - Vulkan (Forward+) - integrated Intel(R) UHD Graphics 620 (Intel Corporation; 31.0.101.2115) - Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz (8 threads)

Issue description

While debugging process lockups during threaded loading I ran into this asan behavior

godot.windows.template_release.x86_64.san.exe!Animation::_findAnimation::MethodKey(const VectorAnimation::MethodKey & p_keys, double p_time, bool p_backward, bool p_limit) Line 2443 C++
godot.windows.template_release.x86_64.san.exe!Animation::track_find_key(int p_track, double p_time, Animation::FindMode p_find_mode, bool p_limit, bool p_backward) Line 1671 C++
godot.windows.template_release.x86_64.san.exe!AnimationMixer::_blend_process(double p_delta, bool p_update_only) Line 1655 C++
godot.windows.template_release.x86_64.san.exe!AnimationMixer::_process_animation(double p_delta, bool p_update_only) Line 990 C++
godot.windows.template_release.x86_64.san.exe!AnimationMixer::_notificationv(int p_notification, bool p_reversed) Line 44 C++
godot.windows.template_release.x86_64.san.exe!AnimationTree::_notificationv(int p_notification, bool p_reversed) Line 269 C++
godot.windows.template_release.x86_64.san.exe!Object::notification(int p_notification, bool p_reversed) Line 914 C++
godot.windows.template_release.x86_64.san.exe!SceneTree::_process_group(SceneTree::ProcessGroup * p_group, bool p_physics) Line 1064 C++
godot.windows.template_release.x86_64.san.exe!SceneTree::_process(bool p_physics) Line 1137 C++
godot.windows.template_release.x86_64.san.exe!SceneTree::process(double p_time) Line 585 C++
godot.windows.template_release.x86_64.san.exe!Main::iteration() Line 4529 C++
godot.windows.template_release.x86_64.san.exe!OS_Windows::run() Line 2075 C++
godot.windows.template_release.x86_64.san.exe!widechar_main(int argc, wchar_t * * argv) Line 97 C++
[Inline Frame] godot.windows.template_release.x86_64.san.exe!_main() Line 122 C++
godot.windows.template_release.x86_64.san.exe!main(int argc, char * * argv) Line 141 C++

Steps to reproduce

Set up the vsproject with scons vsproj=yes dev_build=yes use_asan=yes target=template_release and set the debugger Working Directory to the MRP

or build with scons dev_build=yes use_asan=yes target=template_release and run the MRP

Minimal reproduction project (MRP)

animation-heap-overflow-repro.zip

[jamie-pate]

[a-johnston]

from the usage, it seems like -2, -1, and p_keys.size() are all valid return values (although -1 can mean either not found and prior to first key or found but out of animation bounds) so the fix would be to just check for a legal index with that p_limit block?

[jamie-pate]

Likely introduced here:
4659090
affects
4.3-stable
4.4-stable
4.4.1-stable