[Bf-blender-cvs] [1724ff29e03] master: readfile: skip negative sized thumbnails

Mon Feb 11 09:12:29 CET 2019

Commit: 1724ff29e03c9748504cbe92b3b9e4f22db01122
Author: Campbell Barton
Date:   Mon Feb 11 19:09:27 2019 +1100
Branches: master
https://developer.blender.org/rB1724ff29e03c9748504cbe92b3b9e4f22db01122

readfile: skip negative sized thumbnails

We may want to use 'TEST' BCode in the future for including data
besides thumbnails. This allows negative values to be used w/o
attempting to load a thumbnail.

===================================================================

M	source/blender/blenkernel/BKE_main.h
M	source/blender/blenloader/intern/readfile.c

===================================================================

diff --git a/source/blender/blenkernel/BKE_main.h b/source/blender/blenkernel/BKE_main.h
index 88387b88d96..a96c1399979 100644
--- a/source/blender/blenkernel/BKE_main.h
+++ b/source/blender/blenkernel/BKE_main.h
@@ -169,8 +169,12 @@ int set_listbasepointers(struct Main *main, struct ListBase *lb[MAX_LIBARRAY]);
 
 #define BLEN_THUMB_SIZE 128
 
-#define BLEN_THUMB_MEMSIZE(_x, _y) (sizeof(BlendThumbnail) + ((size_t)(_x) * (size_t)(_y)) * sizeof(int))
-#define BLEN_THUMB_SAFE_MEMSIZE(_x, _y) ((uint64_t)_x * (uint64_t)_y < (SIZE_MAX / (sizeof(int) * 4)))
+#define BLEN_THUMB_MEMSIZE(_x, _y) \
+	(sizeof(BlendThumbnail) + ((size_t)(_x) * (size_t)(_y)) * sizeof(int))
+/** Protect against buffer overflow vulnerability & negative sizes. */
+#define BLEN_THUMB_MEMSIZE_IS_VALID(_x, _y) \
+	(((_x) > 0 && (_y) > 0) && \
+	 ((uint64_t)(_x) * (uint64_t)(_y) < (SIZE_MAX / (sizeof(int) * 4))))
 
 #ifdef __cplusplus
 }
diff --git a/source/blender/blenloader/intern/readfile.c b/source/blender/blenloader/intern/readfile.c
index 3afa5f4a406..adef6e4dc2d 100644
--- a/source/blender/blenloader/intern/readfile.c
+++ b/source/blender/blenloader/intern/readfile.c
@@ -977,10 +977,9 @@ static int *read_file_thumbnail(FileData *fd)
 				BLI_endian_switch_int32(&data[1]);
 			}
 
-			int width = data[0];
-			int height = data[1];
-
-			if (!BLEN_THUMB_SAFE_MEMSIZE(width, height)) {
+			const int width = data[0];
+			const int height = data[1];
+			if (!BLEN_THUMB_MEMSIZE_IS_VALID(width, height)) {
 				break;
 			}
 			if (bhead->len < BLEN_THUMB_MEMSIZE_FILE(width, height)) {
@@ -1422,14 +1421,11 @@ BlendThumbnail *BLO_thumbnail_from_file(const char *filepath)
 	fd_data = fd ? read_file_thumbnail(fd) : NULL;
 
 	if (fd_data) {
-		int width = fd_data[0];
-		int height = fd_data[1];
-
-		/* Protect against buffer overflow vulnerability. */
-		if (BLEN_THUMB_SAFE_MEMSIZE(width, height)) {
+		const int width = fd_data[0];
+		const int height = fd_data[1];
+		if (BLEN_THUMB_MEMSIZE_IS_VALID(width, height)) {
 			const size_t sz = BLEN_THUMB_MEMSIZE(width, height);
 			data = MEM_mallocN(sz, __func__);
-
 			if (data) {
 				BLI_assert((sz - sizeof(*data)) == (BLEN_THUMB_MEMSIZE_FILE(width, height) - (sizeof(*fd_data) * 2)));
 				data->width = width;
@@ -8997,11 +8993,9 @@ BlendFileData *blo_read_file_internal(FileData *fd, const char *filepath)
 		const int *data = read_file_thumbnail(fd);
 
 		if (data) {
-			int width = data[0];
-			int height = data[1];
-
-			/* Protect against buffer overflow vulnerability. */
-			if (BLEN_THUMB_SAFE_MEMSIZE(width, height)) {
+			const int width = data[0];
+			const int height = data[1];
+			if (BLEN_THUMB_MEMSIZE_IS_VALID(width, height)) {
 				const size_t sz = BLEN_THUMB_MEMSIZE(width, height);
 				bfd->main->blen_thumb = MEM_mallocN(sz, __func__);

