diff options
Diffstat (limited to 'source/blender/blenloader')
-rw-r--r-- | source/blender/blenloader/BLO_blend_defs.h | 2 | ||||
-rw-r--r-- | source/blender/blenloader/intern/readfile.c | 79 | ||||
-rw-r--r-- | source/blender/blenloader/intern/versioning_250.c | 2 | ||||
-rw-r--r-- | source/blender/blenloader/intern/versioning_legacy.c | 2 |
4 files changed, 54 insertions, 31 deletions
diff --git a/source/blender/blenloader/BLO_blend_defs.h b/source/blender/blenloader/BLO_blend_defs.h index a6b06a080cc..6776b1c3338 100644 --- a/source/blender/blenloader/BLO_blend_defs.h +++ b/source/blender/blenloader/BLO_blend_defs.h @@ -75,6 +75,6 @@ enum { ENDB = BLEND_MAKE_ID('E', 'N', 'D', 'B'), }; -#define BLEN_THUMB_MEMSIZE_FILE(_x, _y) (sizeof(int) * (size_t)(2 + (_x) * (_y))) +#define BLEN_THUMB_MEMSIZE_FILE(_x, _y) (sizeof(int) * (2 + (size_t)(_x) * (size_t)(_y))) #endif /* __BLO_BLEND_DEFS_H__ */ diff --git a/source/blender/blenloader/intern/readfile.c b/source/blender/blenloader/intern/readfile.c index 7ae616a68f6..1cd82a8cd49 100644 --- a/source/blender/blenloader/intern/readfile.c +++ b/source/blender/blenloader/intern/readfile.c @@ -304,7 +304,7 @@ static OldNewMap *oldnewmap_new(void) OldNewMap *onm= MEM_callocN(sizeof(*onm), "OldNewMap"); onm->entriessize = 1024; - onm->entries = MEM_mallocN(sizeof(*onm->entries)*onm->entriessize, "OldNewMap.entries"); + onm->entries = MEM_malloc_arrayN(onm->entriessize, sizeof(*onm->entries), "OldNewMap.entries"); return onm; } @@ -551,7 +551,7 @@ void blo_split_main(ListBase *mainlist, Main *main) /* (Library.temp_index -> Main), lookup table */ const unsigned int lib_main_array_len = BLI_listbase_count(&main->library); - Main **lib_main_array = MEM_mallocN(lib_main_array_len * sizeof(*lib_main_array), __func__); + Main **lib_main_array = MEM_malloc_arrayN(lib_main_array_len, sizeof(*lib_main_array), __func__); int i = 0; for (Library *lib = main->library.first; lib; lib = lib->id.next, i++) { @@ -997,7 +997,13 @@ static int *read_file_thumbnail(FileData *fd) BLI_endian_switch_int32(&data[1]); } - if (bhead->len < BLEN_THUMB_MEMSIZE_FILE(data[0], data[1])) { + int width = data[0]; + int height = data[1]; + + if (!BLEN_THUMB_SAFE_MEMSIZE(width, height)) { + break; + } + if (bhead->len < BLEN_THUMB_MEMSIZE_FILE(width, height)) { break; } @@ -1436,23 +1442,28 @@ bool BLO_library_path_explode(const char *path, char *r_dir, char **r_group, cha BlendThumbnail *BLO_thumbnail_from_file(const char *filepath) { FileData *fd; - BlendThumbnail *data; + BlendThumbnail *data = NULL; int *fd_data; fd = blo_openblenderfile_minimal(filepath); fd_data = fd ? read_file_thumbnail(fd) : NULL; if (fd_data) { - const size_t sz = BLEN_THUMB_MEMSIZE(fd_data[0], fd_data[1]); - data = MEM_mallocN(sz, __func__); + int width = fd_data[0]; + int height = fd_data[1]; - BLI_assert((sz - sizeof(*data)) == (BLEN_THUMB_MEMSIZE_FILE(fd_data[0], fd_data[1]) - (sizeof(*fd_data) * 2))); - data->width = fd_data[0]; - data->height = fd_data[1]; - memcpy(data->rect, &fd_data[2], sz - sizeof(*data)); - } - else { - data = NULL; + /* Protect against buffer overflow vulnerability. */ + if (BLEN_THUMB_SAFE_MEMSIZE(width, height)) { + const size_t sz = BLEN_THUMB_MEMSIZE(width, height); + data = MEM_mallocN(sz, __func__); + + if (data) { + BLI_assert((sz - sizeof(*data)) == (BLEN_THUMB_MEMSIZE_FILE(width, height) - (sizeof(*fd_data) * 2))); + data->width = width; + data->height = height; + memcpy(data->rect, &fd_data[2], sz - sizeof(*data)); + } + } } blo_freefiledata(fd); @@ -1998,7 +2009,7 @@ static void test_pointer_array(FileData *fd, void **mat) len = MEM_allocN_len(*mat)/fd->filesdna->pointerlen; if (fd->filesdna->pointerlen==8 && fd->memsdna->pointerlen==4) { - ipoin=imat= MEM_mallocN(len * 4, "newmatar"); + ipoin=imat= MEM_malloc_arrayN(len, 4, "newmatar"); lpoin= *mat; while (len-- > 0) { @@ -2013,7 +2024,7 @@ static void test_pointer_array(FileData *fd, void **mat) } if (fd->filesdna->pointerlen==4 && fd->memsdna->pointerlen==8) { - lpoin = lmat = MEM_mallocN(len * 8, "newmatar"); + lpoin = lmat = MEM_malloc_arrayN(len, 8, "newmatar"); ipoin = *mat; while (len-- > 0) { @@ -4000,6 +4011,9 @@ static void direct_link_curve(FileData *fd, Curve *cu) cu->adt= newdataadr(fd, cu->adt); direct_link_animdata(fd, cu->adt); + /* Protect against integer overflow vulnerability. */ + CLAMP(cu->len_wchar, 0, INT_MAX - 4); + cu->mat = newdataadr(fd, cu->mat); test_pointer_array(fd, (void **)&cu->mat); cu->str = newdataadr(fd, cu->str); @@ -4012,7 +4026,7 @@ static void direct_link_curve(FileData *fd, Curve *cu) else { cu->nurb.first=cu->nurb.last= NULL; - tb = MEM_callocN(MAXTEXTBOX*sizeof(TextBox), "TextBoxread"); + tb = MEM_calloc_arrayN(MAXTEXTBOX, sizeof(TextBox), "TextBoxread"); if (cu->tb) { memcpy(tb, cu->tb, cu->totbox*sizeof(TextBox)); MEM_freeN(cu->tb); @@ -4415,6 +4429,9 @@ static void direct_link_particlesettings(FileData *fd, ParticleSettings *part) for (a = 0; a < MAX_MTEX; a++) { part->mtex[a] = newdataadr(fd, part->mtex[a]); } + + /* Protect against integer overflow vulnerability. */ + CLAMP(part->trail_count, 1, 100000); } static void lib_link_particlesystems(FileData *fd, Object *ob, ID *id, ListBase *particles) @@ -5362,9 +5379,9 @@ static void direct_link_modifiers(FileData *fd, ListBase *lb) collmd->xnew = newdataadr(fd, collmd->xnew); collmd->mfaces = newdataadr(fd, collmd->mfaces); - collmd->current_x = MEM_callocN(sizeof(MVert)*collmd->numverts, "current_x"); - collmd->current_xnew = MEM_callocN(sizeof(MVert)*collmd->numverts, "current_xnew"); - collmd->current_v = MEM_callocN(sizeof(MVert)*collmd->numverts, "current_v"); + collmd->current_x = MEM_calloc_arrayN(collmd->numverts, sizeof(MVert), "current_x"); + collmd->current_xnew = MEM_calloc_arrayN(collmd->numverts, sizeof(MVert), "current_xnew"); + collmd->current_v = MEM_calloc_arrayN(collmd->numverts, sizeof(MVert), "current_v"); #endif collmd->x = NULL; @@ -8491,7 +8508,7 @@ static BHead *read_libblock(FileData *fd, Main *main, BHead *bhead, const short id = read_struct(fd, bhead, "lib block"); if (id) { - const short idcode = (bhead->code == ID_ID) ? GS(id->name) : bhead->code; + const short idcode = GS(id->name); /* do after read_struct, for dna reconstruct */ lb = which_libbase(main, idcode); if (lb) { @@ -8928,14 +8945,20 @@ BlendFileData *blo_read_file_internal(FileData *fd, const char *filepath) const int *data = read_file_thumbnail(fd); if (data) { - const size_t sz = BLEN_THUMB_MEMSIZE(data[0], data[1]); - bfd->main->blen_thumb = MEM_mallocN(sz, __func__); + int width = data[0]; + int height = data[1]; + + /* Protect against buffer overflow vulnerability. */ + if (BLEN_THUMB_SAFE_MEMSIZE(width, height)) { + const size_t sz = BLEN_THUMB_MEMSIZE(width, height); + bfd->main->blen_thumb = MEM_mallocN(sz, __func__); - BLI_assert((sz - sizeof(*bfd->main->blen_thumb)) == - (BLEN_THUMB_MEMSIZE_FILE(data[0], data[1]) - (sizeof(*data) * 2))); - bfd->main->blen_thumb->width = data[0]; - bfd->main->blen_thumb->height = data[1]; - memcpy(bfd->main->blen_thumb->rect, &data[2], sz - sizeof(*bfd->main->blen_thumb)); + BLI_assert((sz - sizeof(*bfd->main->blen_thumb)) == + (BLEN_THUMB_MEMSIZE_FILE(width, height) - (sizeof(*data) * 2))); + bfd->main->blen_thumb->width = width; + bfd->main->blen_thumb->height = height; + memcpy(bfd->main->blen_thumb->rect, &data[2], sz - sizeof(*bfd->main->blen_thumb)); + } } } @@ -9056,7 +9079,7 @@ static void sort_bhead_old_map(FileData *fd) fd->tot_bheadmap = tot; if (tot == 0) return; - bhs = fd->bheadmap = MEM_mallocN(tot * sizeof(struct BHeadSort), "BHeadSort"); + bhs = fd->bheadmap = MEM_malloc_arrayN(tot, sizeof(struct BHeadSort), "BHeadSort"); for (bhead = blo_firstbhead(fd); bhead; bhead = blo_nextbhead(fd, bhead), bhs++) { bhs->bhead = bhead; diff --git a/source/blender/blenloader/intern/versioning_250.c b/source/blender/blenloader/intern/versioning_250.c index 3ee6891f17f..a2eea6cbe7a 100644 --- a/source/blender/blenloader/intern/versioning_250.c +++ b/source/blender/blenloader/intern/versioning_250.c @@ -951,7 +951,7 @@ void blo_do_versions_250(FileData *fd, Library *lib, Main *main) if (ob->totcol && ob->matbits == NULL) { int a; - ob->matbits = MEM_callocN(sizeof(char)*ob->totcol, "ob->matbits"); + ob->matbits = MEM_calloc_arrayN(ob->totcol, sizeof(char), "ob->matbits"); for (a = 0; a < ob->totcol; a++) ob->matbits[a] = (ob->colbits & (1<<a)) != 0; } diff --git a/source/blender/blenloader/intern/versioning_legacy.c b/source/blender/blenloader/intern/versioning_legacy.c index 6cb39a35b9d..b263ab15853 100644 --- a/source/blender/blenloader/intern/versioning_legacy.c +++ b/source/blender/blenloader/intern/versioning_legacy.c @@ -113,7 +113,7 @@ static void vcol_to_fcol(Mesh *me) if (me->totface == 0 || me->mcol == NULL) return; - mcoln = mcolmain = MEM_mallocN(4*sizeof(int)*me->totface, "mcoln"); + mcoln = mcolmain = MEM_malloc_arrayN(me->totface, 4 * sizeof(int), "mcoln"); mcol = (unsigned int *)me->mcol; mface = me->mface; for (a = me->totface; a > 0; a--, mface++) { |