From e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 Mon Sep 17 00:00:00 2001
From: Brecht Van Lommel <brechtvanlommel@gmail.com>
Date: Sun, 14 Jan 2018 22:14:20 +0100
Subject: Fix buffer overflow vulnerabilities in mesh code.

Solves these security issues from T52924:
CVE-2017-12081
CVE-2017-12082
CVE-2017-12086
CVE-2017-12099
CVE-2017-12100
CVE-2017-12101
CVE-2017-12105

While the specific overflow issue may be fixed, loading the repro .blend
files may still crash because they are incomplete and corrupt. The way
they crash may be impossible to exploit, but this is difficult to prove.

Differential Revision: https://developer.blender.org/D3002
---
 source/blender/modifiers/intern/MOD_smooth.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'source/blender/modifiers/intern/MOD_smooth.c')

diff --git a/source/blender/modifiers/intern/MOD_smooth.c b/source/blender/modifiers/intern/MOD_smooth.c
index d45c8528510..92025512f02 100644
--- a/source/blender/modifiers/intern/MOD_smooth.c
+++ b/source/blender/modifiers/intern/MOD_smooth.c
@@ -102,10 +102,10 @@ static void smoothModifier_do(
 	unsigned char *uctmp;
 	float *ftmp, fac, facm;
 
-	ftmp = (float *)MEM_callocN(3 * sizeof(float) * numVerts,
+	ftmp = (float *)MEM_calloc_arrayN(numVerts, 3 * sizeof(float),
 	                            "smoothmodifier_f");
 	if (!ftmp) return;
-	uctmp = (unsigned char *)MEM_callocN(sizeof(unsigned char) * numVerts,
+	uctmp = (unsigned char *)MEM_calloc_arrayN(numVerts, sizeof(unsigned char),
 	                                     "smoothmodifier_uc");
 	if (!uctmp) {
 		if (ftmp) MEM_freeN(ftmp);
-- 
cgit v1.2.3