diff options
author | Brecht Van Lommel <brechtvanlommel@gmail.com> | 2018-01-15 00:14:20 +0300 |
---|---|---|
committer | Brecht Van Lommel <brechtvanlommel@gmail.com> | 2018-01-18 02:54:07 +0300 |
commit | e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 (patch) | |
tree | f9248150341b73cd72978f9075a453fe021c2995 /source/blender/modifiers/intern/MOD_mirror.c | |
parent | e0f2c7aff484c7448903a1466829675494ebae6c (diff) |
Fix buffer overflow vulnerabilities in mesh code.
Solves these security issues from T52924:
CVE-2017-12081
CVE-2017-12082
CVE-2017-12086
CVE-2017-12099
CVE-2017-12100
CVE-2017-12101
CVE-2017-12105
While the specific overflow issue may be fixed, loading the repro .blend
files may still crash because they are incomplete and corrupt. The way
they crash may be impossible to exploit, but this is difficult to prove.
Differential Revision: https://developer.blender.org/D3002
Diffstat (limited to 'source/blender/modifiers/intern/MOD_mirror.c')
-rw-r--r-- | source/blender/modifiers/intern/MOD_mirror.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/source/blender/modifiers/intern/MOD_mirror.c b/source/blender/modifiers/intern/MOD_mirror.c index 157f37e973c..6925e40a8c6 100644 --- a/source/blender/modifiers/intern/MOD_mirror.c +++ b/source/blender/modifiers/intern/MOD_mirror.c @@ -183,7 +183,7 @@ static DerivedMesh *doMirrorOnAxis(MirrorModifierData *mmd, if (do_vtargetmap) { /* second half is filled with -1 */ - vtargetmap = MEM_mallocN(sizeof(int) * maxVerts * 2, "MOD_mirror tarmap"); + vtargetmap = MEM_malloc_arrayN(maxVerts, 2 * sizeof(int), "MOD_mirror tarmap"); vtmap_a = vtargetmap; vtmap_b = vtargetmap + maxVerts; |