diff options
author | Brecht Van Lommel <brechtvanlommel@gmail.com> | 2018-01-15 08:57:26 +0300 |
---|---|---|
committer | Brecht Van Lommel <brechtvanlommel@gmail.com> | 2018-01-18 02:54:07 +0300 |
commit | e6df02861e17f75d4dd243776f35208681b78465 (patch) | |
tree | b4ebbb1f9752f3cab8ada017f40d91172971915a /source/blender/blenkernel/intern/font.c | |
parent | e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 (diff) |
Fix buffer overflow vulnerability in curve, font, particles code.
Solves these security issues from T52924:
CVE-2017-12102
CVE-2017-12103
CVE-2017-12104
While the specific overflow issue may be fixed, loading the repro .blend
files may still crash because they are incomplete and corrupt. The way
they crash may be impossible to exploit, but this is difficult to prove.
Differential Revision: https://developer.blender.org/D3002
Diffstat (limited to 'source/blender/blenkernel/intern/font.c')
-rw-r--r-- | source/blender/blenkernel/intern/font.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source/blender/blenkernel/intern/font.c b/source/blender/blenkernel/intern/font.c index 7c4185616ac..a314cc0a131 100644 --- a/source/blender/blenkernel/intern/font.c +++ b/source/blender/blenkernel/intern/font.c @@ -693,6 +693,9 @@ bool BKE_vfont_to_curve_ex(Main *bmain, Object *ob, Curve *cu, int mode, ListBas /* Create unicode string */ mem_tmp = MEM_malloc_arrayN((slen + 1), sizeof(wchar_t), "convertedmem"); + if (!mem_tmp) { + return ok; + } BLI_strncpy_wchar_from_utf8(mem_tmp, cu->str, slen + 1); @@ -700,6 +703,9 @@ bool BKE_vfont_to_curve_ex(Main *bmain, Object *ob, Curve *cu, int mode, ListBas cu->strinfo = MEM_calloc_arrayN((slen + 4), sizeof(CharInfo), "strinfo compat"); } custrinfo = cu->strinfo; + if (!custrinfo) { + return ok; + } mem = mem_tmp; } |