From b68b66d29ef7a8f62d4e3715b02a503f085cb0a2 Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Mon, 19 Jun 2023 12:28:46 +1000 Subject: [PATCH 1/2] Fix buffer overflow in AVI file writing `strcpy` could overflow the destination buffer by 768 bytes, use FILE_MAX for the filepath buffer size. Also include the size in the functions signature to avoid similar errors in the future. --- source/blender/blenkernel/BKE_writeavi.h | 4 ++-- source/blender/blenkernel/BKE_writeffmpeg.h | 2 +- source/blender/blenkernel/intern/writeavi.c | 25 ++++++++++++++------- 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/source/blender/blenkernel/BKE_writeavi.h b/source/blender/blenkernel/BKE_writeavi.h index b6391b74fc3..d313354cd46 100644 --- a/source/blender/blenkernel/BKE_writeavi.h +++ b/source/blender/blenkernel/BKE_writeavi.h @@ -38,7 +38,7 @@ typedef struct bMovieHandle { void (*end_movie)(void *context_v); /* Optional function. */ - void (*get_movie_path)(char *filepath, + void (*get_movie_path)(char filepath[/*FILE_MAX*/ 1024], const struct RenderData *rd, bool preview, const char *suffix); @@ -52,7 +52,7 @@ bMovieHandle *BKE_movie_handle_get(char imtype); /** * \note Similar to #BKE_image_path_from_imformat() */ -void BKE_movie_filepath_get(char *filepath, +void BKE_movie_filepath_get(char filepath[/*FILE_MAX*/ 1024], const struct RenderData *rd, bool preview, const char *suffix); diff --git a/source/blender/blenkernel/BKE_writeffmpeg.h b/source/blender/blenkernel/BKE_writeffmpeg.h index d5cc6e0a4de..cd1ce4a75b8 100644 --- a/source/blender/blenkernel/BKE_writeffmpeg.h +++ b/source/blender/blenkernel/BKE_writeffmpeg.h @@ -64,7 +64,7 @@ int BKE_ffmpeg_append(void *context_v, int recty, const char *suffix, struct ReportList *reports); -void BKE_ffmpeg_filepath_get(char *filepath, +void BKE_ffmpeg_filepath_get(char filepath[/*FILE_MAX*/ 1024], const struct RenderData *rd, bool preview, const char *suffix); diff --git a/source/blender/blenkernel/intern/writeavi.c b/source/blender/blenkernel/intern/writeavi.c index daacda12d1e..793547975d4 100644 --- a/source/blender/blenkernel/intern/writeavi.c +++ b/source/blender/blenkernel/intern/writeavi.c @@ -82,7 +82,10 @@ static int append_avi(void *context_v, int recty, const char *suffix, ReportList *reports); -static void filepath_avi(char *string, const RenderData *rd, bool preview, const char *suffix); +static void filepath_avi(char filepath[FILE_MAX], + const RenderData *rd, + bool preview, + const char *suffix); static void *context_create_avi(void); static void context_free_avi(void *context_v); #endif /* WITH_AVI */ @@ -140,7 +143,10 @@ bMovieHandle *BKE_movie_handle_get(const char imtype) #ifdef WITH_AVI -static void filepath_avi(char *filepath, const RenderData *rd, bool preview, const char *suffix) +static void filepath_avi(char filepath[FILE_MAX], + const RenderData *rd, + bool preview, + const char *suffix) { int sfra, efra; @@ -157,7 +163,7 @@ static void filepath_avi(char *filepath, const RenderData *rd, bool preview, con efra = rd->efra; } - strcpy(filepath, rd->pic); + BLI_strncpy(filepath, rd->pic, FILE_MAX); BLI_path_abs(filepath, BKE_main_blendfile_path_from_global()); BLI_file_ensure_parent_dir_exists(filepath); @@ -187,13 +193,13 @@ static int start_avi(void *context_v, const char *suffix) { int x, y; - char name[256]; + char filepath[FILE_MAX]; AviFormat format; int quality; double framerate; AviMovie *avi = context_v; - filepath_avi(name, rd, preview, suffix); + filepath_avi(filepath, rd, preview, suffix); x = rectx; y = recty; @@ -208,7 +214,7 @@ static int start_avi(void *context_v, format = AVI_FORMAT_MJPEG; } - if (AVI_open_compress(name, avi, 1, format) != AVI_ERROR_NONE) { + if (AVI_open_compress(filepath, avi, 1, format) != AVI_ERROR_NONE) { BKE_report(reports, RPT_ERROR, "Cannot open or start AVI movie file"); return 0; } @@ -221,7 +227,7 @@ static int start_avi(void *context_v, avi->interlace = 0; avi->odd_fields = 0; - printf("Created avi: %s\n", name); + printf("Created avi: %s\n", filepath); return 1; } @@ -297,7 +303,10 @@ static void context_free_avi(void *context_v) #endif /* WITH_AVI */ -void BKE_movie_filepath_get(char *filepath, const RenderData *rd, bool preview, const char *suffix) +void BKE_movie_filepath_get(char filepath[/*FILE_MAX*/ 1024], + const RenderData *rd, + bool preview, + const char *suffix) { bMovieHandle *mh = BKE_movie_handle_get(rd->im_format.imtype); if (mh && mh->get_movie_path) { From a6a32a8279f785a713f09746b8c8556b7b87ce26 Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Mon, 19 Jun 2023 12:36:18 +1000 Subject: [PATCH 2/2] Quiet compiler warning from b68b66d29ef7a8f62d4e3715b02a --- source/blender/blenkernel/intern/writeffmpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/blender/blenkernel/intern/writeffmpeg.c b/source/blender/blenkernel/intern/writeffmpeg.c index d6404a1158c..f2878395b6d 100644 --- a/source/blender/blenkernel/intern/writeffmpeg.c +++ b/source/blender/blenkernel/intern/writeffmpeg.c @@ -1426,7 +1426,7 @@ static void ffmpeg_filepath_get(FFMpegContext *context, BLI_path_suffix(string, FILE_MAX, suffix, ""); } -void BKE_ffmpeg_filepath_get(char *filepath, +void BKE_ffmpeg_filepath_get(char filepath[/*FILE_MAX*/ 1024], const RenderData *rd, bool preview, const char *suffix)