From d3f7fba472cd83940a1374a9e0df79922599369d Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Sat, 17 May 2008 22:37:34 +0000
Subject: [PATCH] fix for [#11691] No checks in curve code for "Number of
 points <= Order U" added checks for a nurbes orderu being larger then pntsu.
 This has the same effect as the curve having only 1 point. (its display list
 is not generated but it is still added but a dummy displist with zero points
 is made) memcpy was also being used where the memory overlaped (probably
 worked in most cases but this is incorrect and valgrind complained), use
 memmove instead.

---
 source/blender/blenkernel/intern/curve.c    |  4 +++-
 source/blender/blenkernel/intern/displist.c |  2 +-
 source/blender/src/editcurve.c              | 14 ++++++++++++--
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/source/blender/blenkernel/intern/curve.c b/source/blender/blenkernel/intern/curve.c
index 0db327f6efb..ca237ecab78 100644
--- a/source/blender/blenkernel/intern/curve.c
+++ b/source/blender/blenkernel/intern/curve.c
@@ -1476,7 +1476,9 @@ void makeBevelList(Object *ob)
 	else nu= cu->nurb.first;
 	
 	while(nu) {
-		if(nu->pntsu<=1) {
+		/* check we are a single point? also check we are not a surface and that the orderu is sane,
+		 * enforced in the UI but can go wrong possibly */
+		if(nu->pntsu<2 || ((nu->type & 7)==CU_NURBS && nu->pntsu < nu->orderu)) {
 			bl= MEM_callocN(sizeof(BevList)+1*sizeof(BevPoint), "makeBevelList");
 			BLI_addtail(&(cu->bev), bl);
 			bl->nr= 0;
diff --git a/source/blender/blenkernel/intern/displist.c b/source/blender/blenkernel/intern/displist.c
index 6f5660b2a3f..3e7dd113956 100644
--- a/source/blender/blenkernel/intern/displist.c
+++ b/source/blender/blenkernel/intern/displist.c
@@ -783,7 +783,7 @@ static void curve_to_displist(Curve *cu, ListBase *nubase, ListBase *dispbase)
 			else
 				resolu= nu->resolu;
 			
-			if(nu->pntsu<2);
+			if(nu->pntsu<2 || ((nu->type & 7)==CU_NURBS && nu->pntsu < nu->orderu));
 			else if((nu->type & 7)==CU_BEZIER) {
 				
 				/* count */
diff --git a/source/blender/src/editcurve.c b/source/blender/src/editcurve.c
index 34dcab09c2a..7572391b383 100644
--- a/source/blender/src/editcurve.c
+++ b/source/blender/src/editcurve.c
@@ -3658,6 +3658,11 @@ void delNurb()
 					}
 				}
 			}
+			
+			/* Never allow the order to exceed the number of points */
+			if ((nu->type & 7)==CU_NURBS && (nu->pntsu < nu->orderu)) {
+				nu->orderu = nu->pntsu;
+			}
 			nu= next;
 		}
 		/* 2nd loop, delete small pieces: just for curves */
@@ -3669,7 +3674,7 @@ void delNurb()
 				bezt= nu->bezt;
 				for(a=0;a<nu->pntsu;a++) {
 					if( BEZSELECTED_HIDDENHANDLES(bezt) ) {
-						memcpy(bezt, bezt+1, (nu->pntsu-a-1)*sizeof(BezTriple));
+						memmove(bezt, bezt+1, (nu->pntsu-a-1)*sizeof(BezTriple));
 						nu->pntsu--;
 						a--;
 						event= 1;
@@ -3690,7 +3695,7 @@ void delNurb()
 				
 				for(a=0;a<nu->pntsu;a++) {
 					if( bp->f1 & SELECT ) {
-						memcpy(bp, bp+1, (nu->pntsu-a-1)*sizeof(BPoint));
+						memmove(bp, bp+1, (nu->pntsu-a-1)*sizeof(BPoint));
 						nu->pntsu--;
 						a--;
 						event= 1;
@@ -3704,6 +3709,11 @@ void delNurb()
 					memcpy(bp1, nu->bp, (nu->pntsu)*sizeof(BPoint) );
 					MEM_freeN(nu->bp);
 					nu->bp= bp1;
+					
+					/* Never allow the order to exceed the number of points */
+					if ((nu->type & 7)==CU_NURBS && (nu->pntsu < nu->orderu)) {
+						nu->orderu = nu->pntsu;
+					}
 				}
 				makeknots(nu, 1, nu->flagu>>1);
 			}