griefith/test
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix buffer overflow in AVI file writing

Browse Source 
`strcpy` could overflow the destination buffer by 768 bytes,
use FILE_MAX for the filepath buffer size.

Also include the size in the functions signature to avoid similar
errors in the future.
This commit is contained in:
Campbell Barton
2023-06-19 12:28:46 +10:00
parent 78f5d9d599
commit b68b66d29e
3 changed files with 20 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
source/blender/blenkernel/BKE_writeavi.h
View File

@@ -38,7 +38,7 @@ typedef struct bMovieHandle {
void (*end_movie)(void *context_v);
/* Optional function. */
void (*get_movie_path)(char *filepath,
void (*get_movie_path)(char filepath[/*FILE_MAX*/ 1024],
const struct RenderData *rd,
bool preview,
const char *suffix);
@@ -52,7 +52,7 @@ bMovieHandle *BKE_movie_handle_get(char imtype);
/**
* \note Similar to #BKE_image_path_from_imformat()
*/
void BKE_movie_filepath_get(char *filepath,
void BKE_movie_filepath_get(char filepath[/*FILE_MAX*/ 1024],
const struct RenderData *rd,
bool preview,
const char *suffix);

2
source/blender/blenkernel/BKE_writeffmpeg.h
View File

@@ -64,7 +64,7 @@ int BKE_ffmpeg_append(void *context_v,
int recty,
const char *suffix,
struct ReportList *reports);
void BKE_ffmpeg_filepath_get(char *filepath,
void BKE_ffmpeg_filepath_get(char filepath[/*FILE_MAX*/ 1024],
const struct RenderData *rd,
bool preview,
const char *suffix);

25
source/blender/blenkernel/intern/writeavi.c
View File

@@ -82,7 +82,10 @@ static int append_avi(void *context_v,
int recty,
const char *suffix,
ReportList *reports);
static void filepath_avi(char *string, const RenderData *rd, bool preview, const char *suffix);
static void filepath_avi(char filepath[FILE_MAX],
const RenderData *rd,
bool preview,
const char *suffix);
static void *context_create_avi(void);
static void context_free_avi(void *context_v);
#endif /* WITH_AVI */
@@ -140,7 +143,10 @@ bMovieHandle *BKE_movie_handle_get(const char imtype)
#ifdef WITH_AVI
static void filepath_avi(char *filepath, const RenderData *rd, bool preview, const char *suffix)
static void filepath_avi(char filepath[FILE_MAX],
const RenderData *rd,
bool preview,
const char *suffix)
{
int sfra, efra;
@@ -157,7 +163,7 @@ static void filepath_avi(char *filepath, const RenderData *rd, bool preview, con
efra = rd->efra;
}
strcpy(filepath, rd->pic);
BLI_strncpy(filepath, rd->pic, FILE_MAX);
BLI_path_abs(filepath, BKE_main_blendfile_path_from_global());
BLI_file_ensure_parent_dir_exists(filepath);
@@ -187,13 +193,13 @@ static int start_avi(void *context_v,
const char *suffix)
{
int x, y;
char name[256];
char filepath[FILE_MAX];
AviFormat format;
int quality;
double framerate;
AviMovie *avi = context_v;
filepath_avi(name, rd, preview, suffix);
filepath_avi(filepath, rd, preview, suffix);
x = rectx;
y = recty;
@@ -208,7 +214,7 @@ static int start_avi(void *context_v,
format = AVI_FORMAT_MJPEG;
}
if (AVI_open_compress(name, avi, 1, format) != AVI_ERROR_NONE) {
if (AVI_open_compress(filepath, avi, 1, format) != AVI_ERROR_NONE) {
BKE_report(reports, RPT_ERROR, "Cannot open or start AVI movie file");
return 0;
}
@@ -221,7 +227,7 @@ static int start_avi(void *context_v,
avi->interlace = 0;
avi->odd_fields = 0;
printf("Created avi: %s\n", name);
printf("Created avi: %s\n", filepath);
return 1;
}
@@ -297,7 +303,10 @@ static void context_free_avi(void *context_v)
#endif /* WITH_AVI */
void BKE_movie_filepath_get(char *filepath, const RenderData *rd, bool preview, const char *suffix)
void BKE_movie_filepath_get(char filepath[/*FILE_MAX*/ 1024],
const RenderData *rd,
bool preview,
const char *suffix)
{
bMovieHandle *mh = BKE_movie_handle_get(rd->im_format.imtype);
if (mh && mh->get_movie_path) {