diff options
author | Campbell Barton <ideasman42@gmail.com> | 2021-08-24 06:25:26 +0300 |
---|---|---|
committer | Campbell Barton <ideasman42@gmail.com> | 2021-08-24 07:25:15 +0300 |
commit | 8b55cda04812255922f488ad6bacd228d5d290a6 (patch) | |
tree | 9d45f358d6cc1835c461763fdc0c83872854c331 /source/blender/editors | |
parent | 8371df8b1c12bdae574370d77819c46d8280f20f (diff) |
Fix BLI_str_utf8_as_unicode_step reading past intended bounds
Add a string length argument to BLI_str_utf8_as_unicode_step to prevent
reading past the buffer bounds or the intended range since some callers
of this function take a string length to operate on part of the string.
Font drawing for example didn't respect the length argument,
potentially causing a buffer over-read with multi-byte characters
that could read past the end of the string.
The following command would read 5 bytes past the end of the input.
`BLF_draw(font_id, (char[]){252}, 1);`
In practice strings are typically null terminated so this didn't crash
reading past buffer bounds.
Nevertheless, this wasn't correct and could cause bugs in the future.
Clamping by the length now has the same behavior as a null byte.
Add test to ensure this is working as intended.
Diffstat (limited to 'source/blender/editors')
-rw-r--r-- | source/blender/editors/space_text/text_ops.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/source/blender/editors/space_text/text_ops.c b/source/blender/editors/space_text/text_ops.c index b5fcadbefe8..f480f60a2b9 100644 --- a/source/blender/editors/space_text/text_ops.c +++ b/source/blender/editors/space_text/text_ops.c @@ -3424,25 +3424,26 @@ static int text_insert_exec(bContext *C, wmOperator *op) SpaceText *st = CTX_wm_space_text(C); Text *text = CTX_data_edit_text(C); char *str; + int str_len; bool done = false; size_t i = 0; uint code; text_drawcache_tag_update(st, 0); - str = RNA_string_get_alloc(op->ptr, "text", NULL, 0, NULL); + str = RNA_string_get_alloc(op->ptr, "text", NULL, 0, &str_len); ED_text_undo_push_init(C); if (st && st->overwrite) { while (str[i]) { - code = BLI_str_utf8_as_unicode_step(str, &i); + code = BLI_str_utf8_as_unicode_step(str, str_len, &i); done |= txt_replace_char(text, code); } } else { while (str[i]) { - code = BLI_str_utf8_as_unicode_step(str, &i); + code = BLI_str_utf8_as_unicode_step(str, str_len, &i); done |= txt_add_char(text, code); } } |