Fix heap buffer overflow in Cycles IES parser
The IES parser in Cycles would lead to heap buffer overflow error when non-supported or invalid data is provided to it. The error was caused by the way how stirng is copied to vector skipping the last null-terminator. Later C-style string utilities are used for parsing, and they expect the data to be null-terminated. It is unclear why data needs to be stored as vector: storing it as string simplifies initialization. Easiest to reproduce the issue is to use Blender build with address sanitizer enabled. Pull Request: https://projects.blender.org/blender/blender/pulls/116752
This commit is contained in:
parent
534a1c9ecd
commit
d86d86f729
|
@ -32,6 +32,7 @@ set(SRC
|
||||||
integrator_tile_test.cpp
|
integrator_tile_test.cpp
|
||||||
render_graph_finalize_test.cpp
|
render_graph_finalize_test.cpp
|
||||||
util_aligned_malloc_test.cpp
|
util_aligned_malloc_test.cpp
|
||||||
|
util_ies_test.cpp
|
||||||
util_math_test.cpp
|
util_math_test.cpp
|
||||||
util_md5_test.cpp
|
util_md5_test.cpp
|
||||||
util_path_test.cpp
|
util_path_test.cpp
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
/* SPDX-FileCopyrightText: 2011-2024 Blender Foundation
|
||||||
|
*
|
||||||
|
* SPDX-License-Identifier: Apache-2.0 */
|
||||||
|
|
||||||
|
#include "testing/testing.h"
|
||||||
|
|
||||||
|
#include "util/ies.h"
|
||||||
|
|
||||||
|
CCL_NAMESPACE_BEGIN
|
||||||
|
|
||||||
|
TEST(util_ies, invalid)
|
||||||
|
{
|
||||||
|
IESFile ies_file;
|
||||||
|
|
||||||
|
EXPECT_FALSE(ies_file.load("Hello, World!"));
|
||||||
|
}
|
||||||
|
|
||||||
|
CCL_NAMESPACE_END
|
|
@ -63,11 +63,11 @@ void IESFile::pack(float *data)
|
||||||
|
|
||||||
class IESTextParser {
|
class IESTextParser {
|
||||||
public:
|
public:
|
||||||
vector<char> text;
|
string text;
|
||||||
char *data;
|
char *data;
|
||||||
bool error;
|
bool error;
|
||||||
|
|
||||||
IESTextParser(const string &str) : text(str.begin(), str.end()), error(false)
|
IESTextParser(const string &str) : text(str), error(false)
|
||||||
{
|
{
|
||||||
std::replace(text.begin(), text.end(), ',', ' ');
|
std::replace(text.begin(), text.end(), ',', ' ');
|
||||||
data = strstr(&text[0], "\nTILT=");
|
data = strstr(&text[0], "\nTILT=");
|
||||||
|
|
Loading…
Reference in New Issue