blender
/
blender
136
406
Fork 587
Code Issues 6.2k Pull Requests 755 Projects 19 Wiki Activity

Fix logical errors in RNA_path_array_index_token_find 

This function never succeeded as an off by one error checking the last
character always indexed the null byte.
The 'for' loop was broken as of [0] since the unsigned number could wrap
around with some RNA paths causing out of bounds memory access.

This is an example where tests would have caught the problem early on,
RNA path tests are planned as part of D15558.

[0]: 11b4d0a3c3
This commit is contained in:
Campbell Barton 2022-08-19 10:44:51 +10:00
parent 6a4f4810f3
commit 4f8c15daf4
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
source/blender/makesrna/intern/rna_path.cc
View File

@ -704,12 +704,16 @@ const char *RNA_path_array_index_token_find(const char *rna_path, const Property
/* Valid 'array part' of a rna path can only have '[', ']' and digit characters.
* It may have more than one of those (e.g. `[12][1]`) in case of multi-dimensional arrays. */
size_t rna_path_len = (size_t)strlen(rna_path);
if (UNLIKELY(rna_path[0] == '\0')) {
return NULL;
}
size_t rna_path_len = (size_t)strlen(rna_path) - 1;
if (rna_path[rna_path_len] != ']') {
return NULL;
}
const char *last_valid_index_token_start = NULL;
for (rna_path_len--; rna_path_len >= 0; rna_path_len--) {
while (rna_path_len--) {
switch (rna_path[rna_path_len]) {
case '[':
if (rna_path_len <= 0 || rna_path[rna_path_len - 1] != ']') {