[Bf-blender-cvs] [8931c4b18d5] master: Fix possible buffer overflow from incorrect 'strncat' use

Campbell Barton noreply at git.blender.org
Wed Mar 4 05:27:22 CET 2020


Commit: 8931c4b18d5e15366c755346f0c982698f661e6f
Author: Campbell Barton
Date:   Wed Mar 4 15:12:36 2020 +1100
Branches: master
https://developer.blender.org/rB8931c4b18d5e15366c755346f0c982698f661e6f

Fix possible buffer overflow from incorrect 'strncat' use

The size argument is the maximum number of bytes to copy,
not the destination buffer size.

Replace with utility function that joins strings.

===================================================================

M	source/blender/render/intern/source/render_result.c

===================================================================

diff --git a/source/blender/render/intern/source/render_result.c b/source/blender/render/intern/source/render_result.c
index b2225d70eaf..81395399134 100644
--- a/source/blender/render/intern/source/render_result.c
+++ b/source/blender/render/intern/source/render_result.c
@@ -35,6 +35,7 @@
 #include "BLI_path_util.h"
 #include "BLI_rect.h"
 #include "BLI_string.h"
+#include "BLI_string_utils.h"
 #include "BLI_threads.h"
 
 #include "BKE_appdir.h"
@@ -181,26 +182,33 @@ void render_result_views_shallowdelete(RenderResult *rr)
 
 static char *set_pass_name(char *outname, const char *name, int channel, const char *chan_id)
 {
-  BLI_strncpy(outname, name, EXR_PASS_MAXNAME);
+  const char *strings[2];
+  int strings_len = 0;
+  strings[strings_len++] = name;
+  char token[2];
   if (channel >= 0) {
-    char token[3] = {'.', chan_id[channel], '\0'};
-    strncat(outname, token, EXR_PASS_MAXNAME);
+    ARRAY_SET_ITEMS(token, chan_id[channel], '\0');
+    strings[strings_len++] = token;
   }
+  BLI_string_join_array_by_sep_char(outname, EXR_PASS_MAXNAME, '.', strings, strings_len);
   return outname;
 }
 
 static void set_pass_full_name(
     char *fullname, const char *name, int channel, const char *view, const char *chan_id)
 {
-  BLI_strncpy(fullname, name, EXR_PASS_MAXNAME);
+  const char *strings[3];
+  int strings_len = 0;
+  strings[strings_len++] = name;
   if (view && view[0]) {
-    strncat(fullname, ".", EXR_PASS_MAXNAME);
-    strncat(fullname, view, EXR_PASS_MAXNAME);
+    strings[strings_len++] = view;
   }
+  char token[2];
   if (channel >= 0) {
-    char token[3] = {'.', chan_id[channel], '\0'};
-    strncat(fullname, token, EXR_PASS_MAXNAME);
+    ARRAY_SET_ITEMS(token, chan_id[channel], '\0');
+    strings[strings_len++] = token;
   }
+  BLI_string_join_array_by_sep_char(fullname, EXR_PASS_MAXNAME, '.', strings, strings_len);
 }
 
 /********************************** New **************************************/



More information about the Bf-blender-cvs mailing list