From c317549587339f508b9fdf863354d258c726b8f8 Mon Sep 17 00:00:00 2001
From: Jamie Pate <jpate@fortinet.com>
Date: Tue, 20 May 2025 15:20:00 -0700
Subject: [PATCH] Fix Heap buffer overflow in Animation::_find()

Fixes #106647
---
 scene/resources/animation.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scene/resources/animation.cpp b/scene/resources/animation.cpp
index 5bb793abf85..f59f2ee79cb 100644
--- a/scene/resources/animation.cpp
+++ b/scene/resources/animation.cpp
@@ -2441,7 +2441,7 @@ int Animation::_find(const Vector<K> &p_keys, double p_time, bool p_backward, bo
 		}
 	}
 
-	if (p_limit) {
+	if (p_limit && middle > -1 && middle < len) {
 		double diff = length - keys[middle].time;
 		if ((std::signbit(keys[middle].time) && !Math::is_zero_approx(keys[middle].time)) || (std::signbit(diff) && !Math::is_zero_approx(diff))) {
 			ERR_PRINT_ONCE_ED("Found the key outside the animation range. Consider using the clean-up option in AnimationTrackEditor to fix it.");