archive/blender-archive
Archived
1
1
Fork 0
Code Pull Requests Packages Activity

Fix incorrect BLI_snprintf usage

Browse Source 
Event though in practice this wasn't causing problems as the fixed size
buffers are generally large enough not to truncate text.

Using the result from `snprint` or `BLI_snprintf` to step over a fixed
size buffer allows for buffer overruns as the returned value is the size
needed to copy the entire string, not the number of bytes copied.

Building strings using this convention with multiple calls:

    ofs += BLI_snprintf(str + ofs, str_len_max - ofs);

.. caused the size argument to become negative,
wrapping it to a large value when cast to the unsigned argument.
This commit is contained in:
Campbell Barton
2021-05-27 17:16:08 +10:00
parent 1276d0024f
commit 41f2ea4045
18 changed files with 204 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
source/blender/python/mathutils/mathutils_Matrix.c
View File

@@ -2253,7 +2253,7 @@ static PyObject *Matrix_str(MatrixObject *self)
for (col = 0; col < self->num_col; col++) {
maxsize[col] = 0;
for (row = 0; row < self->num_row; row++) {
const int size = BLI_snprintf(
const int size = BLI_snprintf_rlen(
dummy_buf, sizeof(dummy_buf), "%.4f", MATRIX_ITEM(self, row, col));
maxsize[col] = max_ii(maxsize[col], size);
}