BLI_path: add a size argument to BLI_path_frame

Resolves potential buffer overflow in USDVolumeWriter::construct_vdb_file_path which passed in a smaller fixed size buffer than FILE_MAX.
2023-05-02 17:01:02 +10:00 · 2023-05-02 17:01:02 +10:00 · f154d37335
commit f154d37335
parent 0428043967
12 changed files with 24 additions and 24 deletions
--- a/intern/mantaflow/intern/MANTA_main.cpp
+++ b/intern/mantaflow/intern/MANTA_main.cpp
@ -2322,6 +2322,6 @@ string MANTA::getFile(
  string path = getDirectory(fmd, subdirectory);
  string filename = fname + "_####" + extension;
  BLI_path_join(targetFile, sizeof(targetFile), path.c_str(), filename.c_str());
-  BLI_path_frame(targetFile, framenr, 0);
+  BLI_path_frame(targetFile, sizeof(targetFile), framenr, 0);
  return targetFile;
 }
--- a/source/blender/blenkernel/intern/cachefile.c
+++ b/source/blender/blenkernel/intern/cachefile.c
@ -400,7 +400,7 @@ bool BKE_cachefile_filepath_get(const Main *bmain,

    char ext[32];
    BLI_path_frame_strip(r_filepath, ext, sizeof(ext));
-    BLI_path_frame(r_filepath, frame, frame_len);
+    BLI_path_frame(r_filepath, FILE_MAX, frame, frame_len);
    BLI_path_extension_ensure(r_filepath, FILE_MAX, ext);

    /* TODO(kevin): store sequence range? */
--- a/source/blender/blenkernel/intern/image_format.cc
+++ b/source/blender/blenkernel/intern/image_format.cc
@ -525,7 +525,7 @@ int BKE_image_path_ensure_ext_from_imtype(char *string, const char imtype)
  return do_add_image_extension(string, imtype, nullptr);
 }

-static void do_makepicstring(char *string,
+static void do_makepicstring(char string[FILE_MAX],
                             const char *base,
                             const char *relbase,
                             int frame,
@ -542,7 +542,7 @@ static void do_makepicstring(char *string,
  BLI_path_abs(string, relbase);

  if (use_frames) {
-    BLI_path_frame(string, frame, 4);
+    BLI_path_frame(string, FILE_MAX, frame, 4);
  }

  if (suffix) {
--- a/source/blender/blenkernel/intern/movieclip.c
+++ b/source/blender/blenkernel/intern/movieclip.c
@ -544,7 +544,7 @@ static void get_proxy_filepath(const MovieClip *clip,
  }

  BLI_path_abs(filepath, BKE_main_blendfile_path_from_global());
-  BLI_path_frame(filepath, 1, 0);
+  BLI_path_frame(filepath, FILE_MAX, 1, 0);
  BLI_strncat(filepath, ".jpg", FILE_MAX);
 }

--- a/source/blender/blenkernel/intern/volume.cc
+++ b/source/blender/blenkernel/intern/volume.cc
@ -769,7 +769,7 @@ static void volume_filepath_get(const Main *bmain, const Volume *volume, char r_
  if (volume->is_sequence && BLI_path_frame_get(r_filepath, &path_frame, &path_digits)) {
    char ext[32];
    BLI_path_frame_strip(r_filepath, ext, sizeof(ext));
-    BLI_path_frame(r_filepath, volume->runtime.frame, path_digits);
+    BLI_path_frame(r_filepath, FILE_MAX, volume->runtime.frame, path_digits);
    BLI_path_extension_ensure(r_filepath, FILE_MAX, ext);
  }
 }
--- a/source/blender/blenlib/BLI_path_util.h
+++ b/source/blender/blenlib/BLI_path_util.h
@ -423,7 +423,7 @@ bool BLI_path_abs(char *path, const char *basepath) ATTR_NONNULL();
 * Replaces "#" character sequence in last slash-separated component of `path`
 * with frame as decimal integer, with leading zeroes as necessary, to make digits.
 */
-bool BLI_path_frame(char *path, int frame, int digits) ATTR_NONNULL();
+bool BLI_path_frame(char *path, size_t path_maxncpy, int frame, int digits) ATTR_NONNULL();
 /**
 * Replaces "#" character sequence in last slash-separated component of `path`
 * with sta and end as decimal integers, with leading zeroes as necessary, to make digits
--- a/source/blender/blenlib/intern/path_util.c
+++ b/source/blender/blenlib/intern/path_util.c
@ -852,7 +852,7 @@ static void ensure_digits(char *path, int digits)
  }
 }

-bool BLI_path_frame(char *path, int frame, int digits)
+bool BLI_path_frame(char *path, size_t path_maxncpy, int frame, int digits)
 {
  int ch_sta, ch_end;

@ -864,7 +864,7 @@ bool BLI_path_frame(char *path, int frame, int digits)
    char tmp[FILE_MAX];
    BLI_snprintf(
        tmp, sizeof(tmp), "%.*s%.*d%s", ch_sta, path, ch_end - ch_sta, frame, path + ch_end);
-    BLI_strncpy(path, tmp, FILE_MAX);
+    BLI_strncpy(path, tmp, path_maxncpy);
    return true;
  }
  return false;
--- a/source/blender/blenlib/tests/BLI_path_util_test.cc
+++ b/source/blender/blenlib/tests/BLI_path_util_test.cc
@ -570,42 +570,42 @@ TEST(path_util, Frame)

  {
    char path[FILE_MAX] = "";
-    ret = BLI_path_frame(path, 123, 1);
+    ret = BLI_path_frame(path, sizeof(path), 123, 1);
    EXPECT_TRUE(ret);
    EXPECT_STREQ(path, "123");
  }

  {
    char path[FILE_MAX] = "";
-    ret = BLI_path_frame(path, 123, 12);
+    ret = BLI_path_frame(path, sizeof(path), 123, 12);
    EXPECT_TRUE(ret);
    EXPECT_STREQ(path, "000000000123");
  }

  {
    char path[FILE_MAX] = "test_";
-    ret = BLI_path_frame(path, 123, 1);
+    ret = BLI_path_frame(path, sizeof(path), 123, 1);
    EXPECT_TRUE(ret);
    EXPECT_STREQ(path, "test_123");
  }

  {
    char path[FILE_MAX] = "test_";
-    ret = BLI_path_frame(path, 1, 12);
+    ret = BLI_path_frame(path, sizeof(path), 1, 12);
    EXPECT_TRUE(ret);
    EXPECT_STREQ(path, "test_000000000001");
  }

  {
    char path[FILE_MAX] = "test_############";
-    ret = BLI_path_frame(path, 1, 0);
+    ret = BLI_path_frame(path, sizeof(path), 1, 0);
    EXPECT_TRUE(ret);
    EXPECT_STREQ(path, "test_000000000001");
  }

  {
    char path[FILE_MAX] = "test_#_#_middle";
-    ret = BLI_path_frame(path, 123, 0);
+    ret = BLI_path_frame(path, sizeof(path), 123, 0);
    EXPECT_TRUE(ret);
    EXPECT_STREQ(path, "test_#_123_middle");
  }
@ -613,14 +613,14 @@ TEST(path_util, Frame)
  /* intentionally fail */
  {
    char path[FILE_MAX] = "";
-    ret = BLI_path_frame(path, 123, 0);
+    ret = BLI_path_frame(path, sizeof(path), 123, 0);
    EXPECT_FALSE(ret);
    EXPECT_STREQ(path, "");
  }

  {
    char path[FILE_MAX] = "test_middle";
-    ret = BLI_path_frame(path, 123, 0);
+    ret = BLI_path_frame(path, sizeof(path), 123, 0);
    EXPECT_FALSE(ret);
    EXPECT_STREQ(path, "test_middle");
  }
@ -628,13 +628,13 @@ TEST(path_util, Frame)
  /* negative frame numbers */
  {
    char path[FILE_MAX] = "test_####";
-    ret = BLI_path_frame(path, -1, 4);
+    ret = BLI_path_frame(path, sizeof(path), -1, 4);
    EXPECT_TRUE(ret);
    EXPECT_STREQ(path, "test_-0001");
  }
  {
    char path[FILE_MAX] = "test_####";
-    ret = BLI_path_frame(path, -100, 4);
+    ret = BLI_path_frame(path, sizeof(path), -100, 4);
    EXPECT_TRUE(ret);
    EXPECT_STREQ(path, "test_-0100");
  }
--- a/source/blender/editors/physics/dynamicpaint_ops.c
+++ b/source/blender/editors/physics/dynamicpaint_ops.c
@ -407,7 +407,7 @@ static void dynamicPaint_bakeImageSequence(DynamicPaintBakeJob *job)
        /* set filepath */
        BLI_path_join(
            filepath, sizeof(filepath), surface->image_output_path, surface->output_name);
-        BLI_path_frame(filepath, frame, 4);
+        BLI_path_frame(filepath, sizeof(filepath), frame, 4);

        /* save image */
        dynamicPaint_outputSurfaceImage(surface, filepath, 0);
@ -417,7 +417,7 @@ static void dynamicPaint_bakeImageSequence(DynamicPaintBakeJob *job)
        /* set filepath */
        BLI_path_join(
            filepath, sizeof(filepath), surface->image_output_path, surface->output_name2);
-        BLI_path_frame(filepath, frame, 4);
+        BLI_path_frame(filepath, sizeof(filepath), frame, 4);

        /* save image */
        dynamicPaint_outputSurfaceImage(surface, filepath, 1);
--- a/source/blender/editors/space_sequencer/sequencer_add.c
+++ b/source/blender/editors/space_sequencer/sequencer_add.c
@ -1253,7 +1253,7 @@ void sequencer_image_seq_reserve_frames(

    for (int i = 0; i < len; i++, se++) {
      BLI_strncpy(filename_stripped, filename, sizeof(filename_stripped));
-      BLI_path_frame(filename_stripped, minframe + i, numdigits);
+      BLI_path_frame(filename_stripped, sizeof(filename_stripped), minframe + i, numdigits);
      BLI_snprintf(se->name, sizeof(se->name), "%s%s", filename_stripped, ext);
    }

--- a/source/blender/io/usd/intern/usd_writer_volume.cc
+++ b/source/blender/io/usd/intern/usd_writer_volume.cc
@ -147,7 +147,7 @@ std::optional<std::string> USDVolumeWriter::construct_vdb_file_path(const Volume
  if (!timecode.IsDefault()) {
    const int frame = int(timecode.GetValue());
    const int num_frame_digits = frame == 0 ? 1 : integer_digits_i(abs(frame));
-    BLI_path_frame(vdb_file_name, frame, num_frame_digits);
+    BLI_path_frame(vdb_file_name, sizeof(vdb_file_name), frame, num_frame_digits);
  }
  BLI_strncat(vdb_file_name, ".vdb", sizeof(vdb_file_name));

--- a/source/blender/io/wavefront_obj/exporter/obj_exporter.cc
+++ b/source/blender/io/wavefront_obj/exporter/obj_exporter.cc
@ -306,7 +306,7 @@ bool append_frame_to_filename(const char *filepath, const int frame, char *r_fil
  BLI_strncpy(r_filepath_with_frames, filepath, FILE_MAX);
  BLI_path_extension_strip(r_filepath_with_frames);
  const int digits = frame == 0 ? 1 : integer_digits_i(abs(frame));
-  BLI_path_frame(r_filepath_with_frames, frame, digits);
+  BLI_path_frame(r_filepath_with_frames, FILE_MAX, frame, digits);
  return BLI_path_extension_replace(r_filepath_with_frames, FILE_MAX, ".obj");
 }