diff options
author | Ray Molenkamp <github@lazydodo.com> | 2019-03-31 22:45:13 +0300 |
---|---|---|
committer | Ray Molenkamp <github@lazydodo.com> | 2019-03-31 22:45:26 +0300 |
commit | a41008964c76014246417b045bd543a44397b3ca (patch) | |
tree | a0d4fc544447eb33daeb2f89880230f069bedc55 | |
parent | a4869df4c9d27279b44171d12cdece8989aaf255 (diff) |
Fix: Buffer overflow in StudioLight
sl->light_ambient is a float[3], copy_v4_fl4 overwrites sl->free_function with a bogus
pointer on 32 bit.
-rw-r--r-- | source/blender/blenkernel/intern/studiolight.c | 2 | ||||
-rw-r--r-- | source/blender/blenloader/intern/versioning_userdef.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/source/blender/blenkernel/intern/studiolight.c b/source/blender/blenkernel/intern/studiolight.c index 7fe21053794..38975f9a227 100644 --- a/source/blender/blenkernel/intern/studiolight.c +++ b/source/blender/blenkernel/intern/studiolight.c @@ -1184,7 +1184,7 @@ void BKE_studiolight_init(void) STUDIOLIGHT_INTERNAL | STUDIOLIGHT_SPHERICAL_HARMONICS_COEFFICIENTS_CALCULATED | STUDIOLIGHT_TYPE_STUDIO); BLI_strncpy(sl->name, "Default", FILE_MAXFILE); - copy_v4_fl4(sl->light_ambient, 0.025000, 0.025000, 0.025000, 1.000000); + copy_v3_fl3(sl->light_ambient, 0.025000, 0.025000, 0.025000); copy_v4_fl4(sl->light[0].vec, -0.580952, 0.228571, 0.781185, 0.0); copy_v4_fl4(sl->light[0].col, 0.900000, 0.900000, 0.900000, 1.000000); diff --git a/source/blender/blenloader/intern/versioning_userdef.c b/source/blender/blenloader/intern/versioning_userdef.c index 5bff0cd1c93..502b33a2b4a 100644 --- a/source/blender/blenloader/intern/versioning_userdef.c +++ b/source/blender/blenloader/intern/versioning_userdef.c @@ -452,7 +452,7 @@ void BLO_version_defaults_userpref_blend(Main *bmain, UserDef *userdef) userdef->light_param[3].flag = 1; userdef->light_param[3].smooth = 0.7; - copy_v4_fl4(userdef->light_ambient, 0.025000, 0.025000, 0.025000, 1.000000); + copy_v3_fl3(userdef->light_ambient, 0.025000, 0.025000, 0.025000); userdef->flag &= ~( USER_FLAG_UNUSED_4); |