diff options
| author | Kent Mein <mein@cs.umn.edu> | 2008-04-15 19:52:18 +0400 |
|---|---|---|
| committer | Kent Mein <mein@cs.umn.edu> | 2008-04-15 19:52:18 +0400 |
| commit | 6e6a6cdf553920c37f22746a0063bf3250f09634 (patch) | |
| tree | a80ef1d0f184fae9d26ad759c2203e27ad773668 /source/blender/imbuf/intern/radiance_hdr.c | |
| parent | e971f84927be514df6346118ac92cb854f70b3fe (diff) | |
This fixes a Buffer Overflow Vulnerability reported by
Secunia Research
SAID: SA29818 (http://secunia.com/advisories/29818/)
Credit: Stefan Cornelius, Secunia Research
The old code trys to do a sscanf %s %d %s %d from a line in the
image file.
Now it copies over that line to a max buffer of size 540 chars before doing
the sscanf.
(I just picked a constant that was siginficatly large)
It also checks to see if it gets all 4 values if not return NULL.
Kent
Diffstat (limited to 'source/blender/imbuf/intern/radiance_hdr.c')
| -rw-r--r-- | source/blender/imbuf/intern/radiance_hdr.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/source/blender/imbuf/intern/radiance_hdr.c b/source/blender/imbuf/intern/radiance_hdr.c index 3cb9ca79ffc..792bec69e91 100644 --- a/source/blender/imbuf/intern/radiance_hdr.c +++ b/source/blender/imbuf/intern/radiance_hdr.c @@ -61,6 +61,7 @@ #define BLU 2 #define EXP 3 #define COLXS 128 +#define STR_MAX 540 typedef unsigned char RGBE[4]; typedef float fCOLOR[3]; /* copy source -> dest */ @@ -181,6 +182,7 @@ struct ImBuf *imb_loadhdr(unsigned char *mem, int size, int flags) unsigned char* ptr; unsigned char* rect; char oriY[80], oriX[80]; + char buff[STR_MAX]; if (imb_is_a_hdr((void*)mem)) { @@ -192,7 +194,9 @@ struct ImBuf *imb_loadhdr(unsigned char *mem, int size, int flags) } } if (found) { - sscanf((char*)&mem[x+1], "%s %d %s %d", (char*)&oriY, &height, (char*)&oriX, &width); + BLI_strncpy(buff, (char *)&mem[x+1], sizeof(buff)); + if (sscanf(buff, "%s %d %s %d", (char*)&oriY, &height, + (char*)&oriX, &width) != 4) return NULL; /* find end of this line, data right behind it */ ptr = (unsigned char *)strchr((char*)&mem[x+1], '\n'); |