Fix buffer overflow vulnerability in curve, font, particles code.

Solves these security issues from T52924: CVE-2017-12102 CVE-2017-12103 CVE-2017-12104 While the specific overflow issue may be fixed, loading the repro .blend files may still crash because they are incomplete and corrupt. The way they crash may be impossible to exploit, but this is difficult to prove. Differential Revision: https://developer.blender.org/D3002
author: Brecht Van Lommel <brechtvanlommel@gmail.com> 2018-01-15 08:57:26 +0300
committer: Brecht Van Lommel <brechtvanlommel@gmail.com> 2018-01-18 21:24:43 +0300
commit: 8dbd5ea4c8af218de60cab4de72624b1bb753363 (patch)
tree: 4e9d5d5e365b359e77f69a33e5389aedcc8e3826 /source/blender/blenkernel/intern/font.c
parent: 9287434fa1cecaf587ad8c01a32f86da0092d0f8 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/source/blender/blenkernel/intern/font.c b/source/blender/blenkernel/intern/font.c
index 0f309fcfa77..bad73bc8910 100644
--- a/source/blender/blenkernel/intern/font.c
+++ b/source/blender/blenkernel/intern/font.c
@@ -677,6 +677,9 @@ bool BKE_vfont_to_curve_ex(Main *bmain, Object *ob, int mode, ListBase *r_nubase
 
 		/* Create unicode string */
 		mem_tmp = MEM_malloc_arrayN((slen + 1), sizeof(wchar_t), "convertedmem");
+		if (!mem_tmp) {
+			return ok;
+		}
 
 		BLI_strncpy_wchar_from_utf8(mem_tmp, cu->str, slen + 1);
 
@@ -684,6 +687,9 @@ bool BKE_vfont_to_curve_ex(Main *bmain, Object *ob, int mode, ListBase *r_nubase
 			cu->strinfo = MEM_calloc_arrayN((slen + 4), sizeof(CharInfo), "strinfo compat");
 		}
 		custrinfo = cu->strinfo;
+		if (!custrinfo) {
+			return ok;
+		}
 
 		mem = mem_tmp;
 	}
author	Brecht Van Lommel <brechtvanlommel@gmail.com>	2018-01-15 08:57:26 +0300
committer	Brecht Van Lommel <brechtvanlommel@gmail.com>	2018-01-18 21:24:43 +0300
commit	8dbd5ea4c8af218de60cab4de72624b1bb753363 (patch)
tree	4e9d5d5e365b359e77f69a33e5389aedcc8e3826 /source/blender/blenkernel/intern/font.c
parent	9287434fa1cecaf587ad8c01a32f86da0092d0f8 (diff)