From 4f8c15daf4cde7d55e2a7bc59287b6e795d934d0 Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Fri, 19 Aug 2022 10:44:51 +1000 Subject: Fix logical errors in RNA_path_array_index_token_find This function never succeeded as an off by one error checking the last character always indexed the null byte. The 'for' loop was broken as of [0] since the unsigned number could wrap around with some RNA paths causing out of bounds memory access. This is an example where tests would have caught the problem early on, RNA path tests are planned as part of D15558. [0]: 11b4d0a3c3787a90e6f1631f7735d0968afbb20a --- source/blender/makesrna/intern/rna_path.cc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source/blender/makesrna') diff --git a/source/blender/makesrna/intern/rna_path.cc b/source/blender/makesrna/intern/rna_path.cc index 02544b177ef..58e9a7bde82 100644 --- a/source/blender/makesrna/intern/rna_path.cc +++ b/source/blender/makesrna/intern/rna_path.cc @@ -704,12 +704,16 @@ const char *RNA_path_array_index_token_find(const char *rna_path, const Property /* Valid 'array part' of a rna path can only have '[', ']' and digit characters. * It may have more than one of those (e.g. `[12][1]`) in case of multi-dimensional arrays. */ - size_t rna_path_len = (size_t)strlen(rna_path); + if (UNLIKELY(rna_path[0] == '\0')) { + return NULL; + } + size_t rna_path_len = (size_t)strlen(rna_path) - 1; if (rna_path[rna_path_len] != ']') { return NULL; } + const char *last_valid_index_token_start = NULL; - for (rna_path_len--; rna_path_len >= 0; rna_path_len--) { + while (rna_path_len--) { switch (rna_path[rna_path_len]) { case '[': if (rna_path_len <= 0 || rna_path[rna_path_len - 1] != ']') { -- cgit v1.2.3