From e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 Mon Sep 17 00:00:00 2001 From: Brecht Van Lommel Date: Sun, 14 Jan 2018 22:14:20 +0100 Subject: Fix buffer overflow vulnerabilities in mesh code. Solves these security issues from T52924: CVE-2017-12081 CVE-2017-12082 CVE-2017-12086 CVE-2017-12099 CVE-2017-12100 CVE-2017-12101 CVE-2017-12105 While the specific overflow issue may be fixed, loading the repro .blend files may still crash because they are incomplete and corrupt. The way they crash may be impossible to exploit, but this is difficult to prove. Differential Revision: https://developer.blender.org/D3002 --- source/blender/modifiers/intern/MOD_weightvgedit.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source/blender/modifiers/intern/MOD_weightvgedit.c') diff --git a/source/blender/modifiers/intern/MOD_weightvgedit.c b/source/blender/modifiers/intern/MOD_weightvgedit.c index 13a97c1c13d..a5f40a5e8cf 100644 --- a/source/blender/modifiers/intern/MOD_weightvgedit.c +++ b/source/blender/modifiers/intern/MOD_weightvgedit.c @@ -231,9 +231,9 @@ static DerivedMesh *applyModifier(ModifierData *md, Object *ob, DerivedMesh *der } /* Get org weights, assuming 0.0 for vertices not in given vgroup. */ - org_w = MEM_mallocN(sizeof(float) * numVerts, "WeightVGEdit Modifier, org_w"); - new_w = MEM_mallocN(sizeof(float) * numVerts, "WeightVGEdit Modifier, new_w"); - dw = MEM_mallocN(sizeof(MDeformWeight *) * numVerts, "WeightVGEdit Modifier, dw"); + org_w = MEM_malloc_arrayN(numVerts, sizeof(float), "WeightVGEdit Modifier, org_w"); + new_w = MEM_malloc_arrayN(numVerts, sizeof(float), "WeightVGEdit Modifier, new_w"); + dw = MEM_malloc_arrayN(numVerts, sizeof(MDeformWeight *), "WeightVGEdit Modifier, dw"); for (i = 0; i < numVerts; i++) { dw[i] = defvert_find_index(&dvert[i], defgrp_index); if (dw[i]) { -- cgit v1.2.3