Fix buffer overrun searching program path on win32

1 files changed, 17 insertions, 9 deletions

diff --git a/source/blender/blenlib/intern/path_util.c b/source/blender/blenlib/intern/path_util.c
index e85f72f6717..9cf360a77e3 100644
--- a/source/blender/blenlib/intern/path_util.c
+++ b/source/blender/blenlib/intern/path_util.c
@@ -57,6 +57,7 @@
 #  include <shlobj.h>
 #  include "BLI_winstuff.h"
 #  include "MEM_guardedalloc.h"
+#  include "BLI_alloca.h"
 #else
 #  include "unistd.h"
 #endif /* WIN32 */
@@ -1033,27 +1034,34 @@ bool BLI_path_program_extensions_add_win32(char *name, const size_t maxlen)
 
 	type = BLI_exists(name);
 	if ((type == 0) || S_ISDIR(type)) {
-		char filename[FILE_MAX];
+		/* typically 3-5, ".EXE", ".BAT"... etc */
+		const int ext_max = 12;
 		const char *ext = getenv("PATHEXT");
 		if (ext) {
 			const int name_len = strlen(name);
+			char *filename = alloca(name_len + ext_max);
+			char *filename_ext;
 			const char *ext_next;
+
 			/* null terminated in the loop */
 			memcpy(filename, name, name_len);
+			filename_ext = filename + name_len;
+
 			do {
 				int ext_len;
-
 				ext_next = strchr(ext, ';');
 				ext_len = ext_next ? ((ext_next++) - ext) : strlen(ext);
 
-				memcpy(filename + name_len, ext, ext_len);
-				filename[name_len + ext_len] = '\0';
+				if (LIKELY(ext_len < ext_max)) {
+					memcpy(filename_ext, ext, ext_len);
+					filename_ext[ext_len] = '\0';
 
-				type = BLI_exists(filename);
-				if (type && (!S_ISDIR(type))) {
-					retval = true;
-					BLI_strncpy(name, filename, maxlen);
-					break;
+					 type = BLI_exists(filename);
+					 if (type && (!S_ISDIR(type))) {
+						retval = true;
+						BLI_strncpy(name, filename, maxlen);
+						break;
+					}
 				}
 			} while ((ext = ext_next));
 		}