From e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 Mon Sep 17 00:00:00 2001 From: Brecht Van Lommel Date: Sun, 14 Jan 2018 22:14:20 +0100 Subject: Fix buffer overflow vulnerabilities in mesh code. Solves these security issues from T52924: CVE-2017-12081 CVE-2017-12082 CVE-2017-12086 CVE-2017-12099 CVE-2017-12100 CVE-2017-12101 CVE-2017-12105 While the specific overflow issue may be fixed, loading the repro .blend files may still crash because they are incomplete and corrupt. The way they crash may be impossible to exploit, but this is difficult to prove. Differential Revision: https://developer.blender.org/D3002 --- source/blender/modifiers/intern/MOD_mask.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source/blender/modifiers/intern/MOD_mask.c') diff --git a/source/blender/modifiers/intern/MOD_mask.c b/source/blender/modifiers/intern/MOD_mask.c index 18caf4a39f4..508897ec4fd 100644 --- a/source/blender/modifiers/intern/MOD_mask.c +++ b/source/blender/modifiers/intern/MOD_mask.c @@ -181,7 +181,7 @@ static DerivedMesh *applyModifier(ModifierData *md, Object *ob, * - each cell is a boolean saying whether bone corresponding to the ith group is selected * - groups that don't match a bone are treated as not existing (along with the corresponding ungrouped verts) */ - bone_select_array = MEM_mallocN((size_t)defbase_tot * sizeof(char), "mask array"); + bone_select_array = MEM_malloc_arrayN((size_t)defbase_tot, sizeof(char), "mask array"); for (i = 0, def = ob->defbase.first; def; def = def->next, i++) { pchan = BKE_pose_channel_find_name(oba->pose, def->name); @@ -265,7 +265,7 @@ static DerivedMesh *applyModifier(ModifierData *md, Object *ob, mloop_src = dm->getLoopArray(dm); /* overalloc, assume all polys are seen */ - loop_mapping = MEM_mallocN(sizeof(int) * (size_t)maxPolys, "mask loopmap"); + loop_mapping = MEM_malloc_arrayN((size_t)maxPolys, sizeof(int), "mask loopmap"); /* loop over edges and faces, and do the same thing to * ensure that they only reference existing verts -- cgit v1.2.3