From e6df02861e17f75d4dd243776f35208681b78465 Mon Sep 17 00:00:00 2001 From: Brecht Van Lommel Date: Mon, 15 Jan 2018 06:57:26 +0100 Subject: Fix buffer overflow vulnerability in curve, font, particles code. Solves these security issues from T52924: CVE-2017-12102 CVE-2017-12103 CVE-2017-12104 While the specific overflow issue may be fixed, loading the repro .blend files may still crash because they are incomplete and corrupt. The way they crash may be impossible to exploit, but this is difficult to prove. Differential Revision: https://developer.blender.org/D3002 --- source/blender/blenkernel/intern/font.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source/blender/blenkernel/intern/font.c') diff --git a/source/blender/blenkernel/intern/font.c b/source/blender/blenkernel/intern/font.c index 7c4185616ac..a314cc0a131 100644 --- a/source/blender/blenkernel/intern/font.c +++ b/source/blender/blenkernel/intern/font.c @@ -693,6 +693,9 @@ bool BKE_vfont_to_curve_ex(Main *bmain, Object *ob, Curve *cu, int mode, ListBas /* Create unicode string */ mem_tmp = MEM_malloc_arrayN((slen + 1), sizeof(wchar_t), "convertedmem"); + if (!mem_tmp) { + return ok; + } BLI_strncpy_wchar_from_utf8(mem_tmp, cu->str, slen + 1); @@ -700,6 +703,9 @@ bool BKE_vfont_to_curve_ex(Main *bmain, Object *ob, Curve *cu, int mode, ListBas cu->strinfo = MEM_calloc_arrayN((slen + 4), sizeof(CharInfo), "strinfo compat"); } custrinfo = cu->strinfo; + if (!custrinfo) { + return ok; + } mem = mem_tmp; } -- cgit v1.2.3