Fix buffer overflow vulnerabilities in mesh code.

Solves these security issues from T52924: CVE-2017-12081 CVE-2017-12082 CVE-2017-12086 CVE-2017-12099 CVE-2017-12100 CVE-2017-12101 CVE-2017-12105 While the specific overflow issue may be fixed, loading the repro .blend files may still crash because they are incomplete and corrupt. The way they crash may be impossible to exploit, but this is difficult to prove. Differential Revision: https://developer.blender.org/D3002
author: Brecht Van Lommel <brechtvanlommel@gmail.com> 2018-01-15 00:14:20 +0300
committer: Brecht Van Lommel <brechtvanlommel@gmail.com> 2018-01-18 02:54:07 +0300
commit: e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 (patch)
tree: f9248150341b73cd72978f9075a453fe021c2995 /source/blender/blenkernel/intern/multires.c
parent: e0f2c7aff484c7448903a1466829675494ebae6c (diff)
1 files changed, 35 insertions, 31 deletions
diff --git a/source/blender/blenkernel/intern/multires.c b/source/blender/blenkernel/intern/multires.c
index 3fc052414eb..9c8fc9bfd0c 100644
--- a/source/blender/blenkernel/intern/multires.c
+++ b/source/blender/blenkernel/intern/multires.c
@@ -440,7 +440,7 @@ int multiresModifier_reshapeFromDeformMod(Scene *scene, MultiresModifierData *mm
 	/* Create DerivedMesh for deformation modifier */
 	dm = get_multires_dm(scene, mmd, ob);
 	numVerts = dm->getNumVerts(dm);
-	deformedVerts = MEM_mallocN(sizeof(float[3]) * numVerts, "multiresReshape_deformVerts");
+	deformedVerts = MEM_malloc_arrayN(numVerts, sizeof(float[3]), "multiresReshape_deformVerts");
 
 	dm->getVertCos(dm, deformedVerts);
 	mti->deformVerts(md, ob, dm, deformedVerts, numVerts, 0);
@@ -533,7 +533,7 @@ static void multires_reallocate_mdisps(int totloop, MDisps *mdisps, int lvl)
 	/* reallocate displacements to be filled in */
 	for (i = 0; i < totloop; ++i) {
 		int totdisp = multires_grid_tot[lvl];
-		float (*disps)[3] = MEM_callocN(sizeof(float) * 3 * totdisp, "multires disps");
+		float (*disps)[3] = MEM_calloc_arrayN(totdisp, 3 * sizeof(float), "multires disps");
 
 		if (mdisps[i].disps)
 			MEM_freeN(mdisps[i].disps);
@@ -597,7 +597,7 @@ static void multires_grid_paint_mask_downsample(GridPaintMask *gpm, int level)
 {
 	if (level < gpm->level) {
 		int gridsize = BKE_ccg_gridsize(level);
-		float *data = MEM_callocN(sizeof(float) * SQUARE(gridsize),
+		float *data = MEM_calloc_arrayN(SQUARE(gridsize), sizeof(float),
 		                          "multires_grid_paint_mask_downsample");
 		int x, y;
 
@@ -642,7 +642,7 @@ static void multires_del_higher(MultiresModifierData *mmd, Object *ob, int lvl)
 					float (*disps)[3], (*ndisps)[3], (*hdisps)[3];
 					int totdisp = multires_grid_tot[lvl];
 
-					disps = MEM_callocN(sizeof(float) * 3 * totdisp, "multires disps");
+					disps = MEM_calloc_arrayN(totdisp, 3 * sizeof(float), "multires disps");
 
 					ndisps = disps;
 					hdisps = mdisp->disps;
@@ -785,7 +785,7 @@ void multiresModifier_base_apply(MultiresModifierData *mmd, Object *ob)
 
 	cddm = CDDM_from_mesh(me);
 	pmap = cddm->getPolyMap(ob, cddm);
-	origco = MEM_callocN(sizeof(float) * 3 * me->totvert, "multires apply base origco");
+	origco = MEM_calloc_arrayN(me->totvert, 3 * sizeof(float), "multires apply base origco");
 	for (i = 0; i < me->totvert; ++i)
 		copy_v3_v3(origco[i], me->mvert[i].co);
 
@@ -825,8 +825,8 @@ void multiresModifier_base_apply(MultiresModifierData *mmd, Object *ob)
 			 * BKE_mesh_calc_poly_normal_coords() */
 			fake_poly.totloop = p->totloop;
 			fake_poly.loopstart = 0;
-			fake_loops = MEM_mallocN(sizeof(MLoop) * p->totloop, "fake_loops");
-			fake_co = MEM_mallocN(sizeof(float) * 3 * p->totloop, "fake_co");
+			fake_loops = MEM_malloc_arrayN(p->totloop, sizeof(MLoop), "fake_loops");
+			fake_co = MEM_malloc_arrayN(p->totloop, 3 * sizeof(float), "fake_co");
 			
 			for (k = 0; k < p->totloop; ++k) {
 				int vndx = me->mloop[p->loopstart + k].v;
@@ -923,11 +923,11 @@ static void multires_subdivide(MultiresModifierData *mmd, Object *ob, int totlvl
 		lowGridData = lowdm->getGridData(lowdm);
 		lowdm->getGridKey(lowdm, &lowGridKey);
 
-		subGridData = MEM_callocN(sizeof(float *) * numGrids, "subGridData*");
+		subGridData = MEM_calloc_arrayN(numGrids, sizeof(float *), "subGridData*");
 
 		for (i = 0; i < numGrids; ++i) {
 			/* backup subsurf grids */
-			subGridData[i] = MEM_callocN(highGridKey.elem_size * highGridSize * highGridSize, "subGridData");
+			subGridData[i] = MEM_calloc_arrayN(highGridKey.elem_size, highGridSize * highGridSize, "subGridData");
 			memcpy(subGridData[i], highGridData[i], highGridKey.elem_size * highGridSize * highGridSize);
 
 			/* overwrite with current displaced grids */
@@ -1054,7 +1054,7 @@ static void multires_disp_run_cb(
 			if (gpm->data) {
 				MEM_freeN(gpm->data);
 			}
-			gpm->data = MEM_callocN(sizeof(float) * key->grid_area, "gpm.data");
+			gpm->data = MEM_calloc_arrayN(key->grid_area, sizeof(float), "gpm.data");
 		}
 
 		for (y = 0; y < gridSize; y++) {
@@ -1247,12 +1247,12 @@ void multires_modifier_update_mdisps(struct DerivedMesh *dm)
 
 			BLI_assert(highGridKey.elem_size == lowGridKey.elem_size);
 
-			subGridData = MEM_callocN(sizeof(CCGElem *) * numGrids, "subGridData*");
-			diffGrid = MEM_callocN(lowGridKey.elem_size * lowGridSize * lowGridSize, "diff");
+			subGridData = MEM_calloc_arrayN(numGrids, sizeof(CCGElem *), "subGridData*");
+			diffGrid = MEM_calloc_arrayN(lowGridKey.elem_size, lowGridSize * lowGridSize, "diff");
 
 			for (i = 0; i < numGrids; ++i) {
 				/* backup subsurf grids */
-				subGridData[i] = MEM_callocN(highGridKey.elem_size * highGridSize * highGridSize, "subGridData");
+				subGridData[i] = MEM_calloc_arrayN(highGridKey.elem_size, highGridSize * highGridSize, "subGridData");
 				memcpy(subGridData[i], highGridData[i], highGridKey.elem_size * highGridSize * highGridSize);
 
 				/* write difference of subsurf and displaced low level into high subsurf */
@@ -1363,10 +1363,10 @@ void multires_set_space(DerivedMesh *dm, Object *ob, int from, int to)
 	gridData = subsurf->getGridData(subsurf);
 	subsurf->getGridKey(subsurf, &key);
 
-	subGridData = MEM_callocN(sizeof(CCGElem *) * numGrids, "subGridData*");
+	subGridData = MEM_calloc_arrayN(numGrids, sizeof(CCGElem *), "subGridData*");
 
 	for (i = 0; i < numGrids; i++) {
-		subGridData[i] = MEM_callocN(key.elem_size * gridSize * gridSize, "subGridData");
+		subGridData[i] = MEM_calloc_arrayN(key.elem_size, gridSize * gridSize, "subGridData");
 		memcpy(subGridData[i], gridData[i], key.elem_size * gridSize * gridSize);
 	}
 	
@@ -1395,7 +1395,7 @@ void multires_set_space(DerivedMesh *dm, Object *ob, int from, int to)
 			if (!mdisp->disps) {
 				mdisp->totdisp = gridSize * gridSize;
 				mdisp->level = totlvl;
-				mdisp->disps = MEM_callocN(sizeof(float) * 3 * mdisp->totdisp, "disp in multires_set_space");
+				mdisp->disps = MEM_calloc_arrayN(mdisp->totdisp, 3 * sizeof(float), "disp in multires_set_space");
 			}
 
 			dispgrid = mdisp->disps;
@@ -1510,10 +1510,10 @@ DerivedMesh *multires_make_derived_from_derived(DerivedMesh *dm,
 	gridData = result->getGridData(result);
 	result->getGridKey(result, &key);
 
-	subGridData = MEM_mallocN(sizeof(CCGElem *) * numGrids, "subGridData*");
+	subGridData = MEM_malloc_arrayN(numGrids, sizeof(CCGElem *), "subGridData*");
 
 	for (i = 0; i < numGrids; i++) {
-		subGridData[i] = MEM_mallocN(key.elem_size * gridSize * gridSize, "subGridData");
+		subGridData[i] = MEM_malloc_arrayN(key.elem_size, gridSize * gridSize, "subGridData");
 		memcpy(subGridData[i], gridData[i], key.elem_size * gridSize * gridSize);
 	}
 
@@ -1603,7 +1603,7 @@ static void old_mdisps_convert(MFace *mface, MDisps *mdisp)
 	int x, y, S;
 	float (*disps)[3], (*out)[3], u = 0.0f, v = 0.0f; /* Quite gcc barking. */
 
-	disps = MEM_callocN(sizeof(float) * 3 * newtotdisp, "multires disps");
+	disps = MEM_calloc_arrayN(newtotdisp, 3 * sizeof(float), "multires disps");
 
 	out = disps;
 	for (S = 0; S < nvert; S++) {
@@ -1650,7 +1650,7 @@ void multires_load_old_250(Mesh *me)
 			int totdisp = mdisps[i].totdisp / nvert;
 			
 			for (j = 0; j < nvert; j++, k++) {
-				mdisps2[k].disps = MEM_callocN(sizeof(float) * 3 * totdisp, "multires disp in conversion");
+				mdisps2[k].disps = MEM_calloc_arrayN(totdisp, 3 * sizeof(float), "multires disp in conversion");
 				mdisps2[k].totdisp = totdisp;
 				mdisps2[k].level = mdisps[i].level;
 				memcpy(mdisps2[k].disps, mdisps[i].disps + totdisp * j, totdisp);
@@ -1710,8 +1710,8 @@ static void create_old_vert_face_map(ListBase **map, IndexNode **mem, const Mult
 	int i, j;
 	IndexNode *node = NULL;
 	
-	(*map) = MEM_callocN(sizeof(ListBase) * totvert, "vert face map");
-	(*mem) = MEM_callocN(sizeof(IndexNode) * totface * 4, "vert face map mem");
+	(*map) = MEM_calloc_arrayN(totvert, sizeof(ListBase), "vert face map");
+	(*mem) = MEM_calloc_arrayN(totface, 4 * sizeof(IndexNode), "vert face map mem");
 	node = *mem;
 	
 	/* Find the users */
@@ -1729,8 +1729,8 @@ static void create_old_vert_edge_map(ListBase **map, IndexNode **mem, const Mult
 	int i, j;
 	IndexNode *node = NULL;
 	
-	(*map) = MEM_callocN(sizeof(ListBase) * totvert, "vert edge map");
-	(*mem) = MEM_callocN(sizeof(IndexNode) * totedge * 2, "vert edge map mem");
+	(*map) = MEM_calloc_arrayN(totvert, sizeof(ListBase), "vert edge map");
+	(*mem) = MEM_calloc_arrayN(totedge, 2 * sizeof(IndexNode), "vert edge map mem");
 	node = *mem;
 	
 	/* Find the users */
@@ -1912,7 +1912,11 @@ static void multires_load_old_dm(DerivedMesh *dm, Mesh *me, int totlvl)
 	vsrc = mr->verts;
 	vdst = dm->getVertArray(dm);
 	totvert = (unsigned int)dm->getNumVerts(dm);
-	vvmap = MEM_callocN(sizeof(int) * totvert, "multires vvmap");
+	vvmap = MEM_calloc_arrayN(totvert, sizeof(int), "multires vvmap");
+
+	if (!vvmap) {
+		return;
+	}
 
 	lvl1 = mr->levels.first;
 	/* Load base verts */
@@ -1997,10 +2001,10 @@ static void multires_load_old_dm(DerivedMesh *dm, Mesh *me, int totlvl)
 		}
 
 		/* calculate vert to edge/face maps for each level (except the last) */
-		fmap = MEM_callocN(sizeof(ListBase *) * (mr->level_count - 1), "multires fmap");
-		emap = MEM_callocN(sizeof(ListBase *) * (mr->level_count - 1), "multires emap");
-		fmem = MEM_callocN(sizeof(IndexNode *) * (mr->level_count - 1), "multires fmem");
-		emem = MEM_callocN(sizeof(IndexNode *) * (mr->level_count - 1), "multires emem");
+		fmap = MEM_calloc_arrayN((mr->level_count - 1), sizeof(ListBase *), "multires fmap");
+		emap = MEM_calloc_arrayN((mr->level_count - 1), sizeof(ListBase *), "multires emap");
+		fmem = MEM_calloc_arrayN((mr->level_count - 1), sizeof(IndexNode *), "multires fmem");
+		emem = MEM_calloc_arrayN((mr->level_count - 1), sizeof(IndexNode *), "multires emem");
 		lvl = lvl1;
 		for (i = 0; i < (unsigned int)mr->level_count - 1; ++i) {
 			create_old_vert_face_map(fmap + i, fmem + i, lvl->faces, lvl->totvert, lvl->totface);
@@ -2302,7 +2306,7 @@ static void multires_apply_smat(Scene *scene, Object *ob, float smat[3][3])
 	cddm = mesh_get_derived_deform(scene, ob, CD_MASK_BAREMESH);
 
 	totvert = cddm->getNumVerts(cddm);
-	vertCos = MEM_mallocN(sizeof(*vertCos) * totvert, "multiresScale vertCos");
+	vertCos = MEM_malloc_arrayN(totvert, sizeof(*vertCos), "multiresScale vertCos");
 	cddm->getVertCos(cddm, vertCos);
 	for (i = 0; i < totvert; i++)
 		mul_m3_v3(smat, vertCos[i]);
@@ -2410,7 +2414,7 @@ void multires_topology_changed(Mesh *me)
 		if (!mdisp->totdisp || !mdisp->disps) {
 			if (grid) {
 				mdisp->totdisp = grid;
-				mdisp->disps = MEM_callocN(3 * mdisp->totdisp * sizeof(float), "mdisp topology");
+				mdisp->disps = MEM_calloc_arrayN(3 * sizeof(float),  mdisp->totdisp, "mdisp topology");
 			}
 
 			continue;
author	Brecht Van Lommel <brechtvanlommel@gmail.com>	2018-01-15 00:14:20 +0300
committer	Brecht Van Lommel <brechtvanlommel@gmail.com>	2018-01-18 02:54:07 +0300
commit	e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 (patch)
tree	f9248150341b73cd72978f9075a453fe021c2995 /source/blender/blenkernel/intern/multires.c
parent	e0f2c7aff484c7448903a1466829675494ebae6c (diff)