[Bf-blender-cvs] SVN commit: /data/svn/bf-blender [14432] trunk/blender/source/blender/imbuf /intern/radiance_hdr.c: This fixes a Buffer Overflow Vulnerability reported by
Kent Mein
mein at cs.umn.edu
Tue Apr 15 17:52:32 CEST 2008
Revision: 14432
http://projects.blender.org/plugins/scmsvn/viewcvs.php?view=rev&root=bf-blender&revision=14432
Author: sirdude
Date: 2008-04-15 17:52:18 +0200 (Tue, 15 Apr 2008)
Log Message:
-----------
This fixes a Buffer Overflow Vulnerability reported by
Secunia Research
SAID: SA29818 (http://secunia.com/advisories/29818/)
Credit: Stefan Cornelius, Secunia Research
The old code trys to do a sscanf %s %d %s %d from a line in the
image file.
Now it copies over that line to a max buffer of size 540 chars before doing
the sscanf.
(I just picked a constant that was siginficatly large)
It also checks to see if it gets all 4 values if not return NULL.
Kent
Modified Paths:
--------------
trunk/blender/source/blender/imbuf/intern/radiance_hdr.c
Modified: trunk/blender/source/blender/imbuf/intern/radiance_hdr.c
===================================================================
--- trunk/blender/source/blender/imbuf/intern/radiance_hdr.c 2008-04-15 15:29:32 UTC (rev 14431)
+++ trunk/blender/source/blender/imbuf/intern/radiance_hdr.c 2008-04-15 15:52:18 UTC (rev 14432)
@@ -61,6 +61,7 @@
#define BLU 2
#define EXP 3
#define COLXS 128
+#define STR_MAX 540
typedef unsigned char RGBE[4];
typedef float fCOLOR[3];
/* copy source -> dest */
@@ -181,6 +182,7 @@
unsigned char* ptr;
unsigned char* rect;
char oriY[80], oriX[80];
+ char buff[STR_MAX];
if (imb_is_a_hdr((void*)mem))
{
@@ -192,7 +194,9 @@
}
}
if (found) {
- sscanf((char*)&mem[x+1], "%s %d %s %d", (char*)&oriY, &height, (char*)&oriX, &width);
+ BLI_strncpy(buff, (char *)&mem[x+1], sizeof(buff));
+ if (sscanf(buff, "%s %d %s %d", (char*)&oriY, &height,
+ (char*)&oriX, &width) != 4) return NULL;
/* find end of this line, data right behind it */
ptr = (unsigned char *)strchr((char*)&mem[x+1], '\n');
More information about the Bf-blender-cvs
mailing list