From 66aa4af83611de2c59d9e8ab4ded1b48bec4a635 Mon Sep 17 00:00:00 2001
From: Bastien Montagne <montagne29@wanadoo.fr>
Date: Wed, 27 Jan 2016 18:04:50 +0100
Subject: Fix T47252: FileBrowser: buffer overflow with scripts defining too
 long 'filter_glob' string.

Fixed this with three changes:
* filter_glob is now 255 char max (63 could be a bit limited in some rare cases).
* IO templates now explicitely define max len of that property (such that scripters are aware of the limit).
* ED_fileselect_set_params() is now safe regarding too long strings from a 'filter_glob' op property.
---
 source/blender/editors/space_file/filesel.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'source/blender/editors/space_file/filesel.c')

diff --git a/source/blender/editors/space_file/filesel.c b/source/blender/editors/space_file/filesel.c
index a83cae6eb17..981b101519c 100644
--- a/source/blender/editors/space_file/filesel.c
+++ b/source/blender/editors/space_file/filesel.c
@@ -186,7 +186,13 @@ short ED_fileselect_set_params(SpaceFile *sfile)
 		if ((prop = RNA_struct_find_property(op->ptr, "filter_collada")))
 			params->filter |= RNA_property_boolean_get(op->ptr, prop) ? FILE_TYPE_COLLADA : 0;
 		if ((prop = RNA_struct_find_property(op->ptr, "filter_glob"))) {
-			RNA_property_string_get(op->ptr, prop, params->filter_glob);
+			/* Protection against pyscripts not setting proper size limit... */
+			char *tmp = RNA_property_string_get_alloc(
+			                op->ptr, prop, params->filter_glob, sizeof(params->filter_glob), NULL);
+			if (tmp != params->filter_glob) {
+				BLI_strncpy(params->filter_glob, tmp, sizeof(params->filter_glob));
+				MEM_freeN(tmp);
+			}
 			params->filter |= (FILE_TYPE_OPERATOR | FILE_TYPE_FOLDER);
 		}
 		else {
-- 
cgit v1.2.3