diff options
| author | Brecht Van Lommel <brechtvanlommel@gmail.com> | 2018-01-15 01:26:31 +0300 |
|---|---|---|
| committer | Brecht Van Lommel <brechtvanlommel@gmail.com> | 2018-01-17 22:25:42 +0300 |
| commit | 07aed404cfb2759f97c60b9f64d8a9392dabaf1a (patch) | |
| tree | ae47bdb684d0fbc8928dd2c011ca24a7fbfcb0d7 /source/blender/blenloader/intern | |
| parent | d30cc1ea0b9ba64d8a1e22105528b6cb8077692c (diff) | |
Fix buffer overflow vulernability in thumbnail file reading.
Fixes CVE-2017-2908 from T52924.
Differential Revision: https://developer.blender.org/D3001
Diffstat (limited to 'source/blender/blenloader/intern')
| -rw-r--r-- | source/blender/blenloader/intern/readfile.c | 55 |
1 files changed, 36 insertions, 19 deletions
diff --git a/source/blender/blenloader/intern/readfile.c b/source/blender/blenloader/intern/readfile.c index 40b53d4c684..51b77938dea 100644 --- a/source/blender/blenloader/intern/readfile.c +++ b/source/blender/blenloader/intern/readfile.c @@ -982,7 +982,13 @@ static int *read_file_thumbnail(FileData *fd) BLI_endian_switch_int32(&data[1]); } - if (bhead->len < BLEN_THUMB_MEMSIZE_FILE(data[0], data[1])) { + int width = data[0]; + int height = data[1]; + + if (!BLEN_THUMB_SAFE_MEMSIZE(width, height)) { + break; + } + if (bhead->len < BLEN_THUMB_MEMSIZE_FILE(width, height)) { break; } @@ -1421,23 +1427,28 @@ bool BLO_library_path_explode(const char *path, char *r_dir, char **r_group, cha BlendThumbnail *BLO_thumbnail_from_file(const char *filepath) { FileData *fd; - BlendThumbnail *data; + BlendThumbnail *data = NULL; int *fd_data; fd = blo_openblenderfile_minimal(filepath); fd_data = fd ? read_file_thumbnail(fd) : NULL; if (fd_data) { - const size_t sz = BLEN_THUMB_MEMSIZE(fd_data[0], fd_data[1]); - data = MEM_mallocN(sz, __func__); + int width = fd_data[0]; + int height = fd_data[1]; - BLI_assert((sz - sizeof(*data)) == (BLEN_THUMB_MEMSIZE_FILE(fd_data[0], fd_data[1]) - (sizeof(*fd_data) * 2))); - data->width = fd_data[0]; - data->height = fd_data[1]; - memcpy(data->rect, &fd_data[2], sz - sizeof(*data)); - } - else { - data = NULL; + /* Protect against buffer overflow vulnerability. */ + if (BLEN_THUMB_SAFE_MEMSIZE(width, height)) { + const size_t sz = BLEN_THUMB_MEMSIZE(width, height); + data = MEM_mallocN(sz, __func__); + + if (data) { + BLI_assert((sz - sizeof(*data)) == (BLEN_THUMB_MEMSIZE_FILE(width, height) - (sizeof(*fd_data) * 2))); + data->width = width; + data->height = height; + memcpy(data->rect, &fd_data[2], sz - sizeof(*data)); + } + } } blo_freefiledata(fd); @@ -8624,14 +8635,20 @@ BlendFileData *blo_read_file_internal(FileData *fd, const char *filepath) const int *data = read_file_thumbnail(fd); if (data) { - const size_t sz = BLEN_THUMB_MEMSIZE(data[0], data[1]); - bfd->main->blen_thumb = MEM_mallocN(sz, __func__); - - BLI_assert((sz - sizeof(*bfd->main->blen_thumb)) == - (BLEN_THUMB_MEMSIZE_FILE(data[0], data[1]) - (sizeof(*data) * 2))); - bfd->main->blen_thumb->width = data[0]; - bfd->main->blen_thumb->height = data[1]; - memcpy(bfd->main->blen_thumb->rect, &data[2], sz - sizeof(*bfd->main->blen_thumb)); + int width = data[0]; + int height = data[1]; + + /* Protect against buffer overflow vulnerability. */ + if (BLEN_THUMB_SAFE_MEMSIZE(width, height)) { + const size_t sz = BLEN_THUMB_MEMSIZE(width, height); + bfd->main->blen_thumb = MEM_mallocN(sz, __func__); + + BLI_assert((sz - sizeof(*bfd->main->blen_thumb)) == + (BLEN_THUMB_MEMSIZE_FILE(width, height) - (sizeof(*data) * 2))); + bfd->main->blen_thumb->width = width; + bfd->main->blen_thumb->height = height; + memcpy(bfd->main->blen_thumb->rect, &data[2], sz - sizeof(*bfd->main->blen_thumb)); + } } } |