From 574b2db317d446a00a68e327dfbf6d4a46b502ff Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Wed, 24 May 2023 13:29:28 +1000 Subject: [PATCH] Fix buffer overflow in BLI_path_abs on WIN32 Loading paths without a drive-prefix could overflow by 3 bytes. Replace unsafe strcat with BLI_strncpy. --- source/blender/blenlib/BLI_winstuff.h | 5 +++++ source/blender/blenlib/intern/path_util.c | 11 +++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/source/blender/blenlib/BLI_winstuff.h b/source/blender/blenlib/BLI_winstuff.h index 5ed64128a26..976c27e2018 100644 --- a/source/blender/blenlib/BLI_winstuff.h +++ b/source/blender/blenlib/BLI_winstuff.h @@ -86,6 +86,11 @@ const char *dirname(char *path); /* Windows utility functions. */ bool BLI_windows_register_blend_extension(bool background); +/** + * Set the `root_dir` to the default root directory on MS-Windows, + * The string is guaranteed to be set with a length of 3 & null terminated, + * using a fall-back in case the root directory can't be found. + */ void BLI_windows_get_default_root_dir(char root_dir[4]); int BLI_windows_get_executable_dir(char *str); diff --git a/source/blender/blenlib/intern/path_util.c b/source/blender/blenlib/intern/path_util.c index adc989144c5..db2b6bd5df3 100644 --- a/source/blender/blenlib/intern/path_util.c +++ b/source/blender/blenlib/intern/path_util.c @@ -1111,16 +1111,19 @@ bool BLI_path_abs(char path[FILE_MAX], const char *basepath) /* We are checking here if we have an absolute path that is not in the current `.blend` file * as a lib main - we are basically checking for the case that a UNIX root `/` is passed. */ if (!wasrelative && !BLI_path_is_abs_win32(path)) { + const size_t root_dir_len = 3; char *p = path; BLI_windows_get_default_root_dir(tmp); - /* Get rid of the slashes at the beginning of the path. */ - while (ELEM(*p, '\\', '/')) { + BLI_assert(strlen(tmp) == root_dir_len); + + /* Step over the slashes at the beginning of the path. */ + while (BLI_path_slash_is_native_compat(*p)) { p++; } - strcat(tmp, p); + BLI_strncpy(tmp + root_dir_len, p, sizeof(tmp) - root_dir_len); } else { - BLI_strncpy(tmp, path, FILE_MAX); + STRNCPY(tmp, path); } #else STRNCPY(tmp, path);