From 9f15ee3c7ae03c19a09f5a48e29960e18c6628c0 Mon Sep 17 00:00:00 2001
From: Campbell Barton <campbell@blender.org>
Date: Tue, 29 Mar 2022 10:11:40 +1100
Subject: Fix T96691: Heap corruption in file_browse_exec

Regression in [0], also use pad buffer by 1 instead of 2 which is no
longer needed as the trailing slash is no longer added
after allocating the string.

0682af0d63a44b050d57bdaf7699e364a311d711
---
 source/blender/editors/space_buttons/buttons_ops.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source/blender/editors/space_buttons/buttons_ops.c b/source/blender/editors/space_buttons/buttons_ops.c
index 46d6df7c69c..dc05e1bc609 100644
--- a/source/blender/editors/space_buttons/buttons_ops.c
+++ b/source/blender/editors/space_buttons/buttons_ops.c
@@ -222,13 +222,13 @@ static int file_browse_exec(bContext *C, wmOperator *op)
       /* Do this first so '//' isn't converted to '//\' on windows. */
       BLI_path_slash_ensure(path);
       if (is_relative) {
-        const int path_len = BLI_strncpy_rlen(path, str, FILE_MAX);
         BLI_path_rel(path, BKE_main_blendfile_path(bmain));
-        str = MEM_reallocN(str, path_len + 2);
-        BLI_strncpy(str, path, FILE_MAX);
+        str_len = strlen(path);
+        str = MEM_reallocN(str, str_len + 1);
+        memcpy(str, path, str_len + 1);
       }
       else {
-        str = MEM_reallocN(str, str_len + 2);
+        str = MEM_reallocN(str, str_len + 1);
       }
     }
     else {
-- 
cgit v1.2.3