fix for error in string copy

- BLI_strncpy_wchar_from_utf8 wasn't NULL terminating the destination string, caused uninitialized memory use in BPY_python_start().
- BLI_strncpy_wchar_as_utf8 could write one byte past the buffer bounds.

3 files changed, 13 insertions, 8 deletions

diff --git a/source/blender/blenkernel/intern/font.c b/source/blender/blenkernel/intern/font.c
index b3edeb67928..7c23438f93d 100644
--- a/source/blender/blenkernel/intern/font.c
+++ b/source/blender/blenkernel/intern/font.c
@@ -516,7 +516,7 @@ struct CharTrans *BKE_vfont_to_curve(Main *bmain, Scene *scene, Object *ob, int
 
 	/* Create unicode string */
 	utf8len = BLI_strlen_utf8(cu->str);
-	mem = MEM_callocN(((utf8len + 1) * sizeof(wchar_t)), "convertedmem");
+	mem = MEM_mallocN(((utf8len + 1) * sizeof(wchar_t)), "convertedmem");
 
 	BLI_strncpy_wchar_from_utf8(mem, cu->str, utf8len + 1);
 
diff --git a/source/blender/blenlib/intern/string_utf8.c b/source/blender/blenlib/intern/string_utf8.c
index edfcdf145eb..a0ab16e24d6 100644
--- a/source/blender/blenlib/intern/string_utf8.c
+++ b/source/blender/blenlib/intern/string_utf8.c
@@ -197,6 +197,10 @@ char *BLI_strncpy_utf8(char *__restrict dst, const char *__restrict src, size_t
 
 	BLI_assert(maxncpy != 0);
 
+#ifdef DEBUG_STRSIZE
+	memset(dst, 0xff, sizeof(*dst) * maxncpy);
+#endif
+
 	/* note: currently we don't attempt to deal with invalid utf8 chars */
 	BLI_STR_UTF8_CPY(dst, src, maxncpy);
 
@@ -226,6 +230,7 @@ char *BLI_strncat_utf8(char *__restrict dst, const char *__restrict src, size_t
 
 size_t BLI_strncpy_wchar_as_utf8(char *__restrict dst, const wchar_t *__restrict src, const size_t maxncpy)
 {
+	const size_t maxlen = maxncpy - 1;
 	size_t len = 0;
 
 	BLI_assert(maxncpy != 0);
@@ -234,7 +239,7 @@ size_t BLI_strncpy_wchar_as_utf8(char *__restrict dst, const wchar_t *__restrict
 	memset(dst, 0xff, sizeof(*dst) * maxncpy);
 #endif
 
-	while (*src && len < maxncpy) { /* XXX can still run over the buffer because utf8 size isn't known :| */
+	while (*src && len != maxlen) { /* XXX can still run over the buffer because utf8 size isn't known :| */
 		len += BLI_str_utf8_from_unicode((unsigned int)*src++, dst + len);
 	}
 
@@ -310,6 +315,7 @@ size_t BLI_strnlen_utf8(const char *strc, const size_t maxlen)
 
 size_t BLI_strncpy_wchar_from_utf8(wchar_t *__restrict dst_w, const char *__restrict src_c, const size_t maxncpy)
 {
+	const size_t maxlen = maxncpy - 1;
 	size_t len = 0;
 
 	BLI_assert(maxncpy != 0);
@@ -318,11 +324,7 @@ size_t BLI_strncpy_wchar_from_utf8(wchar_t *__restrict dst_w, const char *__rest
 	memset(dst_w, 0xff, sizeof(*dst_w) * maxncpy);
 #endif
 
-	if (dst_w == NULL || src_c == NULL) {
-		return 0;
-	}
-
-	while (*src_c && len < maxncpy) {
+	while (*src_c && len != maxlen) {
 		size_t step = 0;
 		unsigned int unicode = BLI_str_utf8_as_unicode_and_size(src_c, &step);
 		if (unicode != BLI_UTF8_ERR) {
@@ -336,6 +338,9 @@ size_t BLI_strncpy_wchar_from_utf8(wchar_t *__restrict dst_w, const char *__rest
 		dst_w++;
 		len++;
 	}
+
+	*dst_w = 0;
+
 	return len;
 }
 
diff --git a/source/blender/editors/curve/editfont.c b/source/blender/editors/curve/editfont.c
index 5b2cc49d106..a04c3fc3c8f 100644
--- a/source/blender/editors/curve/editfont.c
+++ b/source/blender/editors/curve/editfont.c
@@ -380,7 +380,7 @@ static int paste_file(bContext *C, ReportList *reports, const char *filename)
 
 	if (cu->len + filelen < MAXTEXT) {
 		int tmplen;
-		wchar_t *mem = MEM_callocN((sizeof(wchar_t) * filelen) + (4 * sizeof(wchar_t)), "temporary");
+		wchar_t *mem = MEM_mallocN((sizeof(wchar_t) * filelen) + (4 * sizeof(wchar_t)), "temporary");
 		tmplen = BLI_strncpy_wchar_from_utf8(mem, strp, filelen + 1);
 		wcscat(ef->textbuf, mem);
 		MEM_freeN(mem);