Fix buffer overflow vulernability in thumbnail file reading.
Fixes CVE-2017-2908 from T52924. Differential Revision: https://developer.blender.org/D3001
This commit is contained in:
parent
d30cc1ea0b
commit
07aed404cf
|
@ -145,7 +145,8 @@ typedef struct Main {
|
|||
|
||||
#define BLEN_THUMB_SIZE 128
|
||||
|
||||
#define BLEN_THUMB_MEMSIZE(_x, _y) (sizeof(BlendThumbnail) + (size_t)((_x) * (_y)) * sizeof(int))
|
||||
#define BLEN_THUMB_MEMSIZE(_x, _y) (sizeof(BlendThumbnail) + ((size_t)(_x) * (size_t)(_y)) * sizeof(int))
|
||||
#define BLEN_THUMB_SAFE_MEMSIZE(_x, _y) ((uint64_t)_x * (uint64_t)_y < (SIZE_MAX / (sizeof(int) * 4)))
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
|
|
@ -75,6 +75,6 @@ enum {
|
|||
ENDB = BLEND_MAKE_ID('E', 'N', 'D', 'B'),
|
||||
};
|
||||
|
||||
#define BLEN_THUMB_MEMSIZE_FILE(_x, _y) (sizeof(int) * (size_t)(2 + (_x) * (_y)))
|
||||
#define BLEN_THUMB_MEMSIZE_FILE(_x, _y) (sizeof(int) * (2 + (size_t)(_x) * (size_t)(_y)))
|
||||
|
||||
#endif /* __BLO_BLEND_DEFS_H__ */
|
||||
|
|
|
@ -982,7 +982,13 @@ static int *read_file_thumbnail(FileData *fd)
|
|||
BLI_endian_switch_int32(&data[1]);
|
||||
}
|
||||
|
||||
if (bhead->len < BLEN_THUMB_MEMSIZE_FILE(data[0], data[1])) {
|
||||
int width = data[0];
|
||||
int height = data[1];
|
||||
|
||||
if (!BLEN_THUMB_SAFE_MEMSIZE(width, height)) {
|
||||
break;
|
||||
}
|
||||
if (bhead->len < BLEN_THUMB_MEMSIZE_FILE(width, height)) {
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -1421,23 +1427,28 @@ bool BLO_library_path_explode(const char *path, char *r_dir, char **r_group, cha
|
|||
BlendThumbnail *BLO_thumbnail_from_file(const char *filepath)
|
||||
{
|
||||
FileData *fd;
|
||||
BlendThumbnail *data;
|
||||
BlendThumbnail *data = NULL;
|
||||
int *fd_data;
|
||||
|
||||
fd = blo_openblenderfile_minimal(filepath);
|
||||
fd_data = fd ? read_file_thumbnail(fd) : NULL;
|
||||
|
||||
if (fd_data) {
|
||||
const size_t sz = BLEN_THUMB_MEMSIZE(fd_data[0], fd_data[1]);
|
||||
data = MEM_mallocN(sz, __func__);
|
||||
int width = fd_data[0];
|
||||
int height = fd_data[1];
|
||||
|
||||
BLI_assert((sz - sizeof(*data)) == (BLEN_THUMB_MEMSIZE_FILE(fd_data[0], fd_data[1]) - (sizeof(*fd_data) * 2)));
|
||||
data->width = fd_data[0];
|
||||
data->height = fd_data[1];
|
||||
memcpy(data->rect, &fd_data[2], sz - sizeof(*data));
|
||||
}
|
||||
else {
|
||||
data = NULL;
|
||||
/* Protect against buffer overflow vulnerability. */
|
||||
if (BLEN_THUMB_SAFE_MEMSIZE(width, height)) {
|
||||
const size_t sz = BLEN_THUMB_MEMSIZE(width, height);
|
||||
data = MEM_mallocN(sz, __func__);
|
||||
|
||||
if (data) {
|
||||
BLI_assert((sz - sizeof(*data)) == (BLEN_THUMB_MEMSIZE_FILE(width, height) - (sizeof(*fd_data) * 2)));
|
||||
data->width = width;
|
||||
data->height = height;
|
||||
memcpy(data->rect, &fd_data[2], sz - sizeof(*data));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
blo_freefiledata(fd);
|
||||
|
@ -8624,14 +8635,20 @@ BlendFileData *blo_read_file_internal(FileData *fd, const char *filepath)
|
|||
const int *data = read_file_thumbnail(fd);
|
||||
|
||||
if (data) {
|
||||
const size_t sz = BLEN_THUMB_MEMSIZE(data[0], data[1]);
|
||||
bfd->main->blen_thumb = MEM_mallocN(sz, __func__);
|
||||
int width = data[0];
|
||||
int height = data[1];
|
||||
|
||||
BLI_assert((sz - sizeof(*bfd->main->blen_thumb)) ==
|
||||
(BLEN_THUMB_MEMSIZE_FILE(data[0], data[1]) - (sizeof(*data) * 2)));
|
||||
bfd->main->blen_thumb->width = data[0];
|
||||
bfd->main->blen_thumb->height = data[1];
|
||||
memcpy(bfd->main->blen_thumb->rect, &data[2], sz - sizeof(*bfd->main->blen_thumb));
|
||||
/* Protect against buffer overflow vulnerability. */
|
||||
if (BLEN_THUMB_SAFE_MEMSIZE(width, height)) {
|
||||
const size_t sz = BLEN_THUMB_MEMSIZE(width, height);
|
||||
bfd->main->blen_thumb = MEM_mallocN(sz, __func__);
|
||||
|
||||
BLI_assert((sz - sizeof(*bfd->main->blen_thumb)) ==
|
||||
(BLEN_THUMB_MEMSIZE_FILE(width, height) - (sizeof(*data) * 2)));
|
||||
bfd->main->blen_thumb->width = width;
|
||||
bfd->main->blen_thumb->height = height;
|
||||
memcpy(bfd->main->blen_thumb->rect, &data[2], sz - sizeof(*bfd->main->blen_thumb));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -173,7 +173,9 @@ void DNA_sdna_free(SDNA *sdna)
|
|||
MEM_freeN(sdna->structs);
|
||||
|
||||
#ifdef WITH_DNA_GHASH
|
||||
BLI_ghash_free(sdna->structs_map, NULL, NULL);
|
||||
if (sdna->structs_map) {
|
||||
BLI_ghash_free(sdna->structs_map, NULL, NULL);
|
||||
}
|
||||
#endif
|
||||
|
||||
MEM_freeN(sdna);
|
||||
|
|
Loading…
Reference in New Issue