[Bf-blender-cvs] [87d9d33c006] master: Fix T96691: Heap corruption in file_browse_exec
Campbell Barton
noreply at git.blender.org
Tue Mar 29 02:48:51 CEST 2022
Commit: 87d9d33c0066bdd6eaf3fd38689f99db8e79dd03
Author: Campbell Barton
Date: Tue Mar 29 10:11:40 2022 +1100
Branches: master
https://developer.blender.org/rB87d9d33c0066bdd6eaf3fd38689f99db8e79dd03
Fix T96691: Heap corruption in file_browse_exec
Regression in [0], also use pad buffer by 1 instead of 2 which is no
longer needed as the trailing slash is no longer added
after allocating the string.
0682af0d63a44b050d57bdaf7699e364a311d711
===================================================================
M source/blender/editors/space_buttons/buttons_ops.c
===================================================================
diff --git a/source/blender/editors/space_buttons/buttons_ops.c b/source/blender/editors/space_buttons/buttons_ops.c
index f91ed5eb4f3..10fb008049d 100644
--- a/source/blender/editors/space_buttons/buttons_ops.c
+++ b/source/blender/editors/space_buttons/buttons_ops.c
@@ -207,13 +207,13 @@ static int file_browse_exec(bContext *C, wmOperator *op)
/* Do this first so '//' isn't converted to '//\' on windows. */
BLI_path_slash_ensure(path);
if (is_relative) {
- const int path_len = BLI_strncpy_rlen(path, str, FILE_MAX);
BLI_path_rel(path, BKE_main_blendfile_path(bmain));
- str = MEM_reallocN(str, path_len + 2);
- BLI_strncpy(str, path, FILE_MAX);
+ str_len = strlen(path);
+ str = MEM_reallocN(str, str_len + 1);
+ memcpy(str, path, str_len + 1);
}
else {
- str = MEM_reallocN(str, str_len + 2);
+ str = MEM_reallocN(str, str_len + 1);
}
}
else {
More information about the Bf-blender-cvs
mailing list