From e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 Mon Sep 17 00:00:00 2001 From: Brecht Van Lommel Date: Sun, 14 Jan 2018 22:14:20 +0100 Subject: Fix buffer overflow vulnerabilities in mesh code. Solves these security issues from T52924: CVE-2017-12081 CVE-2017-12082 CVE-2017-12086 CVE-2017-12099 CVE-2017-12100 CVE-2017-12101 CVE-2017-12105 While the specific overflow issue may be fixed, loading the repro .blend files may still crash because they are incomplete and corrupt. The way they crash may be impossible to exploit, but this is difficult to prove. Differential Revision: https://developer.blender.org/D3002 --- source/blender/modifiers/intern/MOD_build.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source/blender/modifiers/intern/MOD_build.c') diff --git a/source/blender/modifiers/intern/MOD_build.c b/source/blender/modifiers/intern/MOD_build.c index 56a274b9ac9..62da8b8ffea 100644 --- a/source/blender/modifiers/intern/MOD_build.c +++ b/source/blender/modifiers/intern/MOD_build.c @@ -104,9 +104,9 @@ static DerivedMesh *applyModifier(ModifierData *md, Object *UNUSED(ob), MVert *mvert_src = dm->getVertArray(dm); - vertMap = MEM_mallocN(sizeof(*vertMap) * numVert_src, "build modifier vertMap"); - edgeMap = MEM_mallocN(sizeof(*edgeMap) * numEdge_src, "build modifier edgeMap"); - faceMap = MEM_mallocN(sizeof(*faceMap) * numPoly_src, "build modifier faceMap"); + vertMap = MEM_malloc_arrayN(numVert_src, sizeof(*vertMap), "build modifier vertMap"); + edgeMap = MEM_malloc_arrayN(numEdge_src, sizeof(*edgeMap), "build modifier edgeMap"); + faceMap = MEM_malloc_arrayN(numPoly_src, sizeof(*faceMap), "build modifier faceMap"); range_vn_i(vertMap, numVert_src, 0); range_vn_i(edgeMap, numEdge_src, 0); -- cgit v1.2.3