[Bf-blender-cvs] SVN commit: /data/svn/bf-blender [14432] trunk/blender/source/blender/imbuf /intern/radiance_hdr.c: This fixes a Buffer Overflow Vulnerability reported by

Kent Mein mein at cs.umn.edu
Tue Apr 15 17:52:32 CEST 2008


Revision: 14432
          http://projects.blender.org/plugins/scmsvn/viewcvs.php?view=rev&root=bf-blender&revision=14432
Author:   sirdude
Date:     2008-04-15 17:52:18 +0200 (Tue, 15 Apr 2008)

Log Message:
-----------
This fixes a Buffer Overflow Vulnerability reported by
 Secunia Research

SAID: SA29818 (http://secunia.com/advisories/29818/)
Credit: Stefan Cornelius, Secunia Research

The old code trys to do a sscanf %s %d %s %d from a line in the
image file.

Now it copies over that line to a max buffer of size 540 chars before doing
the sscanf.  
(I just picked a constant that was siginficatly large)

It also checks to see if it gets all 4 values if not return NULL.

Kent

Modified Paths:
--------------
    trunk/blender/source/blender/imbuf/intern/radiance_hdr.c

Modified: trunk/blender/source/blender/imbuf/intern/radiance_hdr.c
===================================================================
--- trunk/blender/source/blender/imbuf/intern/radiance_hdr.c	2008-04-15 15:29:32 UTC (rev 14431)
+++ trunk/blender/source/blender/imbuf/intern/radiance_hdr.c	2008-04-15 15:52:18 UTC (rev 14432)
@@ -61,6 +61,7 @@
 #define BLU 2
 #define EXP 3
 #define COLXS 128
+#define STR_MAX 540
 typedef unsigned char RGBE[4];
 typedef float fCOLOR[3];
 /* copy source -> dest */
@@ -181,6 +182,7 @@
 	unsigned char* ptr;
 	unsigned char* rect;
 	char oriY[80], oriX[80];
+	char buff[STR_MAX];
 
 	if (imb_is_a_hdr((void*)mem))
 	{
@@ -192,7 +194,9 @@
 			}
 		}
 		if (found) {
-			sscanf((char*)&mem[x+1], "%s %d %s %d", (char*)&oriY, &height, (char*)&oriX, &width);
+			BLI_strncpy(buff, (char *)&mem[x+1], sizeof(buff));
+			if (sscanf(buff, "%s %d %s %d", (char*)&oriY, &height, 
+				(char*)&oriX, &width) != 4) return NULL;
 
 			/* find end of this line, data right behind it */
 			ptr = (unsigned char *)strchr((char*)&mem[x+1], '\n');





More information about the Bf-blender-cvs mailing list