[Bf-blender-cvs] [e04d7c49dca] master: Fix buffer overflow vulnerabilities in mesh code.
Brecht Van Lommel
noreply at git.blender.org
Thu Jan 18 00:55:36 CET 2018
Commit: e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
Author: Brecht Van Lommel
Date: Sun Jan 14 22:14:20 2018 +0100
Branches: master
https://developer.blender.org/rBe04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
Fix buffer overflow vulnerabilities in mesh code.
Solves these security issues from T52924:
CVE-2017-12081
CVE-2017-12082
CVE-2017-12086
CVE-2017-12099
CVE-2017-12100
CVE-2017-12101
CVE-2017-12105
While the specific overflow issue may be fixed, loading the repro .blend
files may still crash because they are incomplete and corrupt. The way
they crash may be impossible to exploit, but this is difficult to prove.
Differential Revision: https://developer.blender.org/D3002
===================================================================
M source/blender/blenkernel/intern/DerivedMesh.c
M source/blender/blenkernel/intern/cdderivedmesh.c
M source/blender/blenkernel/intern/curve.c
M source/blender/blenkernel/intern/customdata.c
M source/blender/blenkernel/intern/customdata_file.c
M source/blender/blenkernel/intern/font.c
M source/blender/blenkernel/intern/mesh.c
M source/blender/blenkernel/intern/mesh_evaluate.c
M source/blender/blenkernel/intern/multires.c
M source/blender/blenloader/intern/readfile.c
M source/blender/blenloader/intern/versioning_250.c
M source/blender/blenloader/intern/versioning_legacy.c
M source/blender/editors/space_view3d/drawobject.c
M source/blender/modifiers/intern/MOD_array.c
M source/blender/modifiers/intern/MOD_boolean.c
M source/blender/modifiers/intern/MOD_build.c
M source/blender/modifiers/intern/MOD_collision.c
M source/blender/modifiers/intern/MOD_correctivesmooth.c
M source/blender/modifiers/intern/MOD_decimate.c
M source/blender/modifiers/intern/MOD_displace.c
M source/blender/modifiers/intern/MOD_explode.c
M source/blender/modifiers/intern/MOD_fluidsim_util.c
M source/blender/modifiers/intern/MOD_laplaciandeform.c
M source/blender/modifiers/intern/MOD_laplaciansmooth.c
M source/blender/modifiers/intern/MOD_mask.c
M source/blender/modifiers/intern/MOD_meshcache.c
M source/blender/modifiers/intern/MOD_meshdeform.c
M source/blender/modifiers/intern/MOD_mirror.c
M source/blender/modifiers/intern/MOD_normal_edit.c
M source/blender/modifiers/intern/MOD_particleinstance.c
M source/blender/modifiers/intern/MOD_screw.c
M source/blender/modifiers/intern/MOD_skin.c
M source/blender/modifiers/intern/MOD_smooth.c
M source/blender/modifiers/intern/MOD_solidify.c
M source/blender/modifiers/intern/MOD_surface.c
M source/blender/modifiers/intern/MOD_surfacedeform.c
M source/blender/modifiers/intern/MOD_util.c
M source/blender/modifiers/intern/MOD_uvproject.c
M source/blender/modifiers/intern/MOD_warp.c
M source/blender/modifiers/intern/MOD_wave.c
M source/blender/modifiers/intern/MOD_weightvg_util.c
M source/blender/modifiers/intern/MOD_weightvgedit.c
M source/blender/modifiers/intern/MOD_weightvgmix.c
M source/blender/modifiers/intern/MOD_weightvgproximity.c
===================================================================
diff --git a/source/blender/blenkernel/intern/DerivedMesh.c b/source/blender/blenkernel/intern/DerivedMesh.c
index 7ccd00b3f62..48edf55d76e 100644
--- a/source/blender/blenkernel/intern/DerivedMesh.c
+++ b/source/blender/blenkernel/intern/DerivedMesh.c
@@ -184,7 +184,7 @@ static MPoly *dm_getPolyArray(DerivedMesh *dm)
static MVert *dm_dupVertArray(DerivedMesh *dm)
{
- MVert *tmp = MEM_mallocN(sizeof(*tmp) * dm->getNumVerts(dm),
+ MVert *tmp = MEM_malloc_arrayN(dm->getNumVerts(dm), sizeof(*tmp),
"dm_dupVertArray tmp");
if (tmp) dm->copyVertArray(dm, tmp);
@@ -194,7 +194,7 @@ static MVert *dm_dupVertArray(DerivedMesh *dm)
static MEdge *dm_dupEdgeArray(DerivedMesh *dm)
{
- MEdge *tmp = MEM_mallocN(sizeof(*tmp) * dm->getNumEdges(dm),
+ MEdge *tmp = MEM_malloc_arrayN(dm->getNumEdges(dm), sizeof(*tmp),
"dm_dupEdgeArray tmp");
if (tmp) dm->copyEdgeArray(dm, tmp);
@@ -204,7 +204,7 @@ static MEdge *dm_dupEdgeArray(DerivedMesh *dm)
static MFace *dm_dupFaceArray(DerivedMesh *dm)
{
- MFace *tmp = MEM_mallocN(sizeof(*tmp) * dm->getNumTessFaces(dm),
+ MFace *tmp = MEM_malloc_arrayN(dm->getNumTessFaces(dm), sizeof(*tmp),
"dm_dupFaceArray tmp");
if (tmp) dm->copyTessFaceArray(dm, tmp);
@@ -214,7 +214,7 @@ static MFace *dm_dupFaceArray(DerivedMesh *dm)
static MLoop *dm_dupLoopArray(DerivedMesh *dm)
{
- MLoop *tmp = MEM_mallocN(sizeof(*tmp) * dm->getNumLoops(dm),
+ MLoop *tmp = MEM_malloc_arrayN(dm->getNumLoops(dm), sizeof(*tmp),
"dm_dupLoopArray tmp");
if (tmp) dm->copyLoopArray(dm, tmp);
@@ -224,7 +224,7 @@ static MLoop *dm_dupLoopArray(DerivedMesh *dm)
static MPoly *dm_dupPolyArray(DerivedMesh *dm)
{
- MPoly *tmp = MEM_mallocN(sizeof(*tmp) * dm->getNumPolys(dm),
+ MPoly *tmp = MEM_malloc_arrayN(dm->getNumPolys(dm), sizeof(*tmp),
"dm_dupPolyArray tmp");
if (tmp) dm->copyPolyArray(dm, tmp);
@@ -525,7 +525,7 @@ void DM_ensure_looptri_data(DerivedMesh *dm)
if (totpoly) {
if (dm->looptris.array_wip == NULL) {
- dm->looptris.array_wip = MEM_mallocN(sizeof(*dm->looptris.array_wip) * looptris_num, __func__);
+ dm->looptris.array_wip = MEM_malloc_arrayN(looptris_num, sizeof(*dm->looptris.array_wip), __func__);
dm->looptris.num_alloc = looptris_num;
}
@@ -574,7 +574,7 @@ void DM_update_tessface_data(DerivedMesh *dm)
CustomData_has_layer(fdata, CD_TESSLOOPNORMAL) ||
CustomData_has_layer(fdata, CD_TANGENT))
{
- loopindex = MEM_mallocN(sizeof(*loopindex) * totface, __func__);
+ loopindex = MEM_malloc_arrayN(totface, sizeof(*loopindex), __func__);
for (mf_idx = 0, mf = mface; mf_idx < totface; mf_idx++, mf++) {
const int mf_len = mf->v4 ? 4 : 3;
@@ -635,7 +635,7 @@ void DM_generate_tangent_tessface_data(DerivedMesh *dm, bool generate)
CustomData_bmesh_update_active_layers(fdata, pdata, ldata);
if (!loopindex) {
- loopindex = MEM_mallocN(sizeof(*loopindex) * totface, __func__);
+ loopindex = MEM_malloc_arrayN(totface, sizeof(*loopindex), __func__);
for (mf_idx = 0, mf = mface; mf_idx < totface; mf_idx++, mf++) {
const int mf_len = mf->v4 ? 4 : 3;
unsigned int *ml_idx = loopindex[mf_idx];
@@ -680,7 +680,7 @@ void DM_update_materials(DerivedMesh *dm, Object *ob)
if (dm->mat)
MEM_freeN(dm->mat);
- dm->mat = MEM_mallocN(totmat * sizeof(*dm->mat), "DerivedMesh.mat");
+ dm->mat = MEM_malloc_arrayN(totmat, sizeof(*dm->mat), "DerivedMesh.mat");
}
/* we leave last material as empty - rationale here is being able to index
@@ -870,7 +870,7 @@ void DM_to_meshkey(DerivedMesh *dm, Mesh *me, KeyBlock *kb)
}
if (kb->data) MEM_freeN(kb->data);
- kb->data = MEM_mallocN(me->key->elemsize * me->totvert, "kb->data");
+ kb->data = MEM_malloc_arrayN(me->key->elemsize, me->totvert, "kb->data");
kb->totelem = totvert;
fp = kb->data;
@@ -1206,7 +1206,7 @@ static float (*get_editbmesh_orco_verts(BMEditMesh *em))[3]
/* these may not really be the orco's, but it's only for preview.
* could be solver better once, but isn't simple */
- orco = MEM_mallocN(sizeof(float) * 3 * em->bm->totvert, "BMEditMesh Orco");
+ orco = MEM_malloc_arrayN(em->bm->totvert, sizeof(float) * 3, "BMEditMesh Orco");
BM_ITER_MESH_INDEX (eve, &iter, em->bm, BM_VERTS_OF_MESH, i) {
copy_v3_v3(orco[i], eve->co);
@@ -1280,7 +1280,7 @@ static void add_orco_dm(
totvert = dm->getNumVerts(dm);
if (orcodm) {
- orco = MEM_callocN(sizeof(float[3]) * totvert, "dm orco");
+ orco = MEM_calloc_arrayN(totvert, sizeof(float[3]), "dm orco");
free = 1;
if (orcodm->getNumVerts(orcodm) == totvert)
@@ -1562,7 +1562,7 @@ void DM_update_weight_mcol(
wtcol_v = em->derivedVertColor;
}
else {
- wtcol_v = MEM_mallocN(sizeof(*wtcol_v) * numVerts, __func__);
+ wtcol_v = MEM_malloc_arrayN(numVerts, sizeof(*wtcol_v), __func__);
}
/* Weights are given by caller. */
@@ -1571,7 +1571,7 @@ void DM_update_weight_mcol(
/* If indices is not NULL, it means we do not have weights for all vertices,
* so we must create them (and set them to zero)... */
if (indices) {
- w = MEM_callocN(sizeof(float) * numVerts, "Temp weight array DM_update_weight_mcol");
+ w = MEM_calloc_arrayN(numVerts, sizeof(float), "Temp weight array DM_update_weight_mcol");
i = num;
while (i--)
w[indices[i]] = weights[i];
@@ -1603,7 +1603,7 @@ void DM_update_weight_mcol(
/* now add to loops, so the data can be passed through the modifier stack
* If no CD_PREVIEW_MLOOPCOL existed yet, we have to add a new one! */
if (!wtcol_l) {
- wtcol_l = MEM_mallocN(sizeof(*wtcol_l) * dm_totloop, __func__);
+ wtcol_l = MEM_malloc_arrayN(dm_totloop, sizeof(*wtcol_l), __func__);
CustomData_add_layer(&dm->loopData, CD_PREVIEW_MLOOPCOL, CD_ASSIGN, wtcol_l, dm_totloop);
}
@@ -1658,7 +1658,7 @@ static void shapekey_layers_to_keyblocks(DerivedMesh *dm, Mesh *me, int actshape
cos = CustomData_get_layer_n(&dm->vertData, CD_SHAPEKEY, i);
kb->totelem = dm->numVertData;
- kb->data = kbcos = MEM_mallocN(sizeof(float) * 3 * kb->totelem, "kbcos DerivedMesh.c");
+ kb->data = kbcos = MEM_malloc_arrayN(kb->totelem, sizeof(float), "kbcos DerivedMesh.c");
if (kb->uid == actshape_uid) {
MVert *mvert = dm->getVertArray(dm);
@@ -1679,7 +1679,7 @@ static void shapekey_layers_to_keyblocks(DerivedMesh *dm, Mesh *me, int actshape
MEM_freeN(kb->data);
kb->totelem = dm->numVertData;
- kb->data = MEM_callocN(sizeof(float) * 3 * kb->totelem, "kb->data derivedmesh.c");
+ kb->data = MEM_calloc_arrayN(kb->totelem, 3 * sizeof(float), "kb->data derivedmesh.c");
fprintf(stderr, "%s: lost a shapekey layer: '%s'! (bmesh internal error)\n", __func__, kb->name);
}
}
@@ -1690,7 +1690,6 @@ static void add_shapekey_layers(DerivedMesh *dm, Mesh *me, Object *UNUSED(ob))
KeyBlock *kb;
Key *key = me->key;
int i;
- const size_t shape_alloc_len = sizeof(float) * 3 * me->totvert;
if (!me->key)
return;
@@ -1711,11 +1710,11 @@ static void add_shapekey_layers(DerivedMesh *dm, Mesh *me, Object *UNUSED(ob))
fprintf(stderr,
"%s: vertex size mismatch (Mesh '%s':%d != KeyBlock '%s':%d)\n",
__func__, me->id.name + 2, me->totvert, kb->name, kb->totelem);
- array = MEM_callocN(shape_alloc_len, __func__);
+ array = MEM_calloc_arrayN((size_t)me->totvert, 3 * sizeof(float), __func__);
}
else {
- array = MEM_mallocN(shape_alloc_len, __func__);
- memcpy(array, kb->data, shape_alloc_len);
+ array = MEM_malloc_arrayN((size_t)me->totvert, 3 * sizeof(float), __func__);
+ memcpy(array, kb->data, (size_t)me->totvert * 3 * sizeof(float));
}
CustomData_add_layer_named(&dm->vertData, CD_SHAPEKEY, CD_ASSIGN, array, dm->numVertData, kb->name);
@@ -1988,7 +1987,7 @@ static void mesh_calc_modifiers(
*/
numVerts = dm->getNumVerts(dm);
deformedVerts =
- MEM_mallocN(sizeof(*deformedVerts) * numVerts, "dfmv");
+ MEM_malloc_arrayN(numVerts, sizeof(*deformedVerts), "dfmv");
dm->getVertCos(dm, deformedVerts);
}
else {
@@ -2281,7 +2280,7 @@ float (*editbmesh_get_vertex_cos(BMEditMesh *em, int *r_numVerts))[3]
*r_numVerts = em->bm->totvert;
- cos = MEM_mallocN(sizeof(float) * 3 * em->bm->totvert, "vertexcos");
+ cos = MEM_malloc_arrayN(em->bm->totvert, 3 * sizeof(float), "vertexcos");
BM_ITER_MESH_INDEX (eve, &iter, em->bm, BM_VERTS_OF_MESH, i) {
copy_v3_v3(cos[i], eve->co);
@@ -2387,7 +2386,7 @@ static void editbmesh_calc_modifiers(
*/
numVerts = dm->getNumVerts(dm);
deformedVerts =
- MEM_mallocN(sizeof(*deformedVerts) * numVerts, "dfmv");
+ MEM_malloc_arrayN(numVerts, sizeof(*deformedVerts), "dfmv");
dm->getVertCos(dm, deformedVerts);
}
else {
@@ -3000,11 +2999,11 @@ DMCoNo *mesh_get_mapped_verts_nors(Scene *scene, Object *ob)
dm = mesh_get_derived_final(scene, ob, CD_MASK_BAREMESH | CD_MASK_ORIGINDEX);
if (dm->foreachMappedVert) {
- vertexcosnos = MEM_callocN(sizeof(DMCoNo) * me->totvert, "vertexcosnos map");
+ vertexcosnos = MEM_calloc_arrayN(me->totvert, sizeof(DMCoNo), "vertexcosnos map");
dm->foreachMappedVert(dm, make_vertexcosnos__mapFunc, vertexcosnos);
}
else {
- DMCoNo *v_co_no = vertexcosnos = MEM_mallocN(sizeof(DMCoNo) * me->totvert, "vertexcosnos map");
+ DMCoNo *v_co_no = vertexcosnos = MEM_malloc_arrayN(me->totvert, sizeof(DMCoNo), "vertexcosnos map");
int a;
for (a = 0; a < me->totvert; a++, v_co_no++) {
dm->getVertCo(dm, a, v_co_no->co);
@@ -3443,7 +3442,7 @@ void DM_calc_loop_tangents(
/* over alloc, since we dont know how many ngon or quads we have */
/* map fake face index to looptri */
- face_as_quad_map = MEM_mallocN(sizeof(int) * totface, __func__);
+ face_as_quad_map = MEM_malloc_arrayN(totface, sizeof(int), __func__);
int k, j;
for (k = 0, j = 0; j < totface; k++, j++) {
face_as_quad_map[k] = j;
@@ -4337,7 +4336,7 @@ MVert *DM_get_vert_array(DerivedMesh *dm, bool *allocated)
*allocated = false;
if (mvert == NULL) {
- mvert = MEM_mallocN(sizeof(MVert) * dm->getNumVerts(dm), "dmvh vert data array");
+ mvert = ME
@@ Diff output truncated at 10240 characters. @@
More information about the Bf-blender-cvs
mailing list