tmaq
/
tornavis
1
0
Fork 0
Code Issues 2 Pull Requests 29 Packages Projects 24 Releases Wiki Activity

Fix potential buffer overflows in USD export & OpenEXR 

- Don't use the source string length +1 as the size of the destination
  (USD export & IMB_exr_get_handle_name).
- Correct undersized buffer being passed into imb_exr_insert_view_name.
This commit is contained in:
Campbell Barton 2023-05-24 12:21:51 +10:00
parent f96e108b63
commit b5150ee8ea
2 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
source/blender/imbuf/intern/openexr/openexr_api.cpp
View File

@ -762,7 +762,7 @@ void *IMB_exr_get_handle_name(const char *name)
if (data == nullptr) {
data = (ExrHandle *)IMB_exr_get_handle();
BLI_strncpy(data->name, name, strlen(name) + 1);
STRNCPY(data->name, name);
}
return data;
}
@ -819,12 +819,16 @@ static void imb_exr_get_views(MultiPartInputFile &file, StringVector &views)
}
/* Multi-layer Blender files have the view name in all the passes (even the default view one). */
static void imb_exr_insert_view_name(char *name_full, const char *passname, const char *viewname)
static void imb_exr_insert_view_name(char name_full[EXR_TOT_MAXNAME + 1],
const char *passname,
const char *viewname)
{
/* Match: `sizeof(ExrChannel::name)`. */
const size_t name_full_maxncpy = EXR_TOT_MAXNAME + 1;
BLI_assert(!ELEM(name_full, passname, viewname));
if (viewname == nullptr || viewname[0] == '\0') {
BLI_strncpy(name_full, passname, sizeof(ExrChannel::name));
BLI_strncpy(name_full, passname, name_full_maxncpy);
return;
}
@ -836,10 +840,10 @@ static void imb_exr_insert_view_name(char *name_full, const char *passname, cons
len = BLI_str_rpartition(passname, delims, &sep, &token);
if (sep) {
BLI_snprintf(name_full, EXR_PASS_MAXNAME, "%.*s.%s.%s", int(len), passname, viewname, token);
BLI_snprintf(name_full, name_full_maxncpy, "%.*s.%s.%s", int(len), passname, viewname, token);
}
else {
BLI_snprintf(name_full, EXR_PASS_MAXNAME, "%s.%s", passname, viewname);
BLI_snprintf(name_full, name_full_maxncpy, "%s.%s", passname, viewname);
}
}
@ -1140,7 +1144,7 @@ float *IMB_exr_channel_rect(void *handle,
/* name has to be unique, thus it's a combination of layer, pass, view, and channel */
if (layname && layname[0] != '\0') {
char temp_buf[EXR_PASS_MAXNAME];
char temp_buf[EXR_TOT_MAXNAME + 1];
imb_exr_insert_view_name(temp_buf, name, viewname);
STRNCPY(name, temp_buf);
}

4
source/blender/io/usd/intern/usd_capi_export.cc
View File

@ -371,8 +371,8 @@ static void create_temp_path_for_usdz_export(const char *filepath,
char usdc_temp_filepath[FILE_MAX];
BLI_path_join(usdc_temp_filepath, FILE_MAX, BKE_tempdir_session(), "USDZ", usdc_file);
BLI_strncpy(job->unarchived_filepath, usdc_temp_filepath, strlen(usdc_temp_filepath) + 1);
BLI_strncpy(job->usdz_filepath, filepath, strlen(filepath) + 1);
STRNCPY(job->unarchived_filepath, usdc_temp_filepath);
STRNCPY(job->usdz_filepath, filepath);
MEM_freeN(usdc_file);
}