archive/blender-archive
Archived
1
1
Fork 0
Code Pull Requests Packages Activity

Fix buffer overflow vulnerabilities in mesh code.

Browse Source 
Solves these security issues from T52924:
CVE-2017-12081
CVE-2017-12082
CVE-2017-12086
CVE-2017-12099
CVE-2017-12100
CVE-2017-12101
CVE-2017-12105

While the specific overflow issue may be fixed, loading the repro .blend
files may still crash because they are incomplete and corrupt. The way
they crash may be impossible to exploit, but this is difficult to prove.

Differential Revision: https://developer.blender.org/D3002
This commit is contained in:
Brecht Van Lommel
2018-01-14 22:14:20 +01:00
parent e0f2c7aff4
commit e04d7c49dc
44 changed files with 358 additions and 343 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
source/blender/modifiers/intern/MOD_explode.c
View File

@@ -119,9 +119,9 @@ static void createFacepa(ExplodeModifierData *emd,
if (emd->facepa)
MEM_freeN(emd->facepa);
facepa = emd->facepa = MEM_callocN(sizeof(int) * totface, "explode_facepa");
facepa = emd->facepa = MEM_calloc_arrayN(totface, sizeof(int), "explode_facepa");
vertpa = MEM_callocN(sizeof(int) * totvert, "explode_vertpa");
vertpa = MEM_calloc_arrayN(totvert, sizeof(int), "explode_vertpa");
/* initialize all faces & verts to no particle */
for (i = 0; i < totface; i++)
@@ -557,8 +557,8 @@ static DerivedMesh *cutEdges(ExplodeModifierData *emd, DerivedMesh *dm)
int totvert = dm->getNumVerts(dm);
int totface = dm->getNumTessFaces(dm);
int *facesplit = MEM_callocN(sizeof(int) * totface, "explode_facesplit");
int *vertpa = MEM_callocN(sizeof(int) * totvert, "explode_vertpa2");
int *facesplit = MEM_calloc_arrayN(totface, sizeof(int), "explode_facesplit");
int *vertpa = MEM_calloc_arrayN(totvert, sizeof(int), "explode_vertpa2");
int *facepa = emd->facepa;
int *fs, totesplit = 0, totfsplit = 0, curdupface = 0;
int i, v1, v2, v3, v4, esplit,
@@ -656,7 +656,7 @@ static DerivedMesh *cutEdges(ExplodeModifierData *emd, DerivedMesh *dm)
* later interpreted as tri's, for this to work right I think we probably
* have to stop using tessface - campbell */
facepa = MEM_callocN(sizeof(int) * (totface + (totfsplit * 2)), "explode_facepa");
facepa = MEM_calloc_arrayN((totface + (totfsplit * 2)), sizeof(int), "explode_facepa");
//memcpy(facepa, emd->facepa, totface*sizeof(int));
emd->facepa = facepa;