griefith/test2
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix potential buffer overflow in text to object conversion

Browse Source 
BLI_strlen_utf8_ex was used to calculate the array size
while strlen was used to fill it which could exceed the utf8 size
if invalid utf8 sequences exist in the text.
This commit is contained in:
Campbell Barton
2023-06-23 10:09:00 +10:00
parent b06afe575e
commit 06cb4ca376
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
source/blender/editors/curve/editfont.c
View File

@@ -708,18 +708,18 @@ static void txt_add_object(bContext *C,
s = cu->str;
for (tmp = firstline, a = 0; cu->len < MAXTEXT && a < totline; tmp = tmp->next, a++) {
size_t nbytes_line;
nbytes_line = BLI_strcpy_rlen(s, tmp->line);
size_t nchars_line_dummy, nbytes_line;
nchars_line_dummy = BLI_strlen_utf8_ex(tmp->line, &nbytes_line);
(void)nchars_line_dummy;
memcpy(s, tmp->line, nbytes_line);
s += nbytes_line;
cu->len += nbytes_line;
if (tmp->next) {
nbytes_line = BLI_strcpy_rlen(s, "\n");
s += nbytes_line;
cu->len += nbytes_line;
*s = '\n';
s += 1;
cu->len += 1;
}
}