[Bf-blender-cvs] [9f15ee3c7ae] blender-v3.1-release: Fix T96691: Heap corruption in file_browse_exec
Campbell Barton
noreply at git.blender.org
Tue Mar 29 16:35:23 CEST 2022
Commit: 9f15ee3c7ae03c19a09f5a48e29960e18c6628c0
Author: Campbell Barton
Date: Tue Mar 29 10:11:40 2022 +1100
Branches: blender-v3.1-release
https://developer.blender.org/rB9f15ee3c7ae03c19a09f5a48e29960e18c6628c0
Fix T96691: Heap corruption in file_browse_exec
Regression in [0], also use pad buffer by 1 instead of 2 which is no
longer needed as the trailing slash is no longer added
after allocating the string.
0682af0d63a44b050d57bdaf7699e364a311d711
===================================================================
M source/blender/editors/space_buttons/buttons_ops.c
===================================================================
diff --git a/source/blender/editors/space_buttons/buttons_ops.c b/source/blender/editors/space_buttons/buttons_ops.c
index 46d6df7c69c..dc05e1bc609 100644
--- a/source/blender/editors/space_buttons/buttons_ops.c
+++ b/source/blender/editors/space_buttons/buttons_ops.c
@@ -222,13 +222,13 @@ static int file_browse_exec(bContext *C, wmOperator *op)
/* Do this first so '//' isn't converted to '//\' on windows. */
BLI_path_slash_ensure(path);
if (is_relative) {
- const int path_len = BLI_strncpy_rlen(path, str, FILE_MAX);
BLI_path_rel(path, BKE_main_blendfile_path(bmain));
- str = MEM_reallocN(str, path_len + 2);
- BLI_strncpy(str, path, FILE_MAX);
+ str_len = strlen(path);
+ str = MEM_reallocN(str, str_len + 1);
+ memcpy(str, path, str_len + 1);
}
else {
- str = MEM_reallocN(str, str_len + 2);
+ str = MEM_reallocN(str, str_len + 1);
}
}
else {
More information about the Bf-blender-cvs
mailing list