Some strings to store ID names were too small, could cause stack corruption.

corrected these and replaced 'sizeof(((ID *)NULL)->name)-2' with 'MAX_ID_NAME-2'.
2011-04-19 06:59:49 +00:00 · 2011-04-19 06:59:49 +00:00 · 5b920bc2ff
commit 5b920bc2ff
parent 6a91cf9adb
13 changed files with 19 additions and 19 deletions
--- a/source/blender/blenkernel/intern/library.c
+++ b/source/blender/blenkernel/intern/library.c
@ -1157,7 +1157,7 @@ static int check_for_dupid(ListBase *lb, ID *id, char *name)
 int new_id(ListBase *lb, ID *id, const char *tname)
 {
 	int result;
-	char name[22];
+	char name[MAX_ID_NAME-2];

 	/* if library, don't rename */
 	if(id->lib) return 0;
--- a/source/blender/editors/interface/interface.c
+++ b/source/blender/editors/interface/interface.c
@ -1390,7 +1390,7 @@ int ui_get_but_string_max_length(uiBut *but)
 	if(ELEM(but->type, TEX, SEARCH_MENU))
 		return but->hardmax;
 	else if(but->type == IDPOIN)
-		return sizeof(((ID*)NULL)->name)-2;
+		return MAX_ID_NAME-2;
 	else
 		return UI_MAX_DRAW_STR;
 }
--- a/source/blender/editors/interface/interface_utils.c
+++ b/source/blender/editors/interface/interface_utils.c
@ -52,7 +52,7 @@ uiBut *uiDefAutoButR(uiBlock *block, PointerRNA *ptr, PropertyRNA *prop, int ind
 {
 	uiBut *but=NULL;
 	const char *propname= RNA_property_identifier(prop);
-	char prop_item[sizeof(((IDProperty *)NULL)->name)+4]; /* size of the ID prop name + room for [""] */
+	char prop_item[MAX_IDPROP_NAME+4]; /* size of the ID prop name + room for [""] */
 	int arraylen= RNA_property_array_length(ptr, prop);

 	/* support for custom props */
--- a/source/blender/editors/object/object_relations.c
+++ b/source/blender/editors/object/object_relations.c
@ -402,7 +402,7 @@ void OBJECT_OT_proxy_make (wmOperatorType *ot)
 	ot->flag= OPTYPE_REGISTER|OPTYPE_UNDO;
 	
 	/* properties */
-	RNA_def_string(ot->srna, "object", "", sizeof(((ID *)NULL)->name)-2, "Proxy Object", "Name of lib-linked/grouped object to make a proxy for.");
+	RNA_def_string(ot->srna, "object", "", MAX_ID_NAME-2, "Proxy Object", "Name of lib-linked/grouped object to make a proxy for.");
 	prop= RNA_def_enum(ot->srna, "type", DummyRNA_DEFAULT_items, 0, "Type", "Group object"); /* XXX, relies on hard coded ID at the moment */
 	RNA_def_enum_funcs(prop, proxy_group_object_itemf);
 	ot->prop= prop;
--- a/source/blender/editors/render/render_internal.c
+++ b/source/blender/editors/render/render_internal.c
@ -736,7 +736,7 @@ static int screen_render_invoke(bContext *C, wmOperator *op, wmEvent *event)
 	if(RNA_property_is_set(op->ptr, "layer")) {
 		SceneRenderLayer *rl;
 		Scene *scn;
-		char scene_name[19], rl_name[RE_MAXNAME];
+		char scene_name[MAX_ID_NAME-2], rl_name[RE_MAXNAME];

 		RNA_string_get(op->ptr, "layer", rl_name);
 		RNA_string_get(op->ptr, "scene", scene_name);
@ -828,7 +828,7 @@ void RENDER_OT_render(wmOperatorType *ot)
 	RNA_def_boolean(ot->srna, "animation", 0, "Animation", "Render files from the animation range of this scene");
 	RNA_def_boolean(ot->srna, "write_still", 0, "Write Image", "Save rendered the image to the output path (used only when animation is disabled)");
 	RNA_def_string(ot->srna, "layer", "", RE_MAXNAME, "Render Layer", "Single render layer to re-render");
-	RNA_def_string(ot->srna, "scene", "", sizeof(((ID *)NULL)->name)-2, "Scene", "Re-render single layer in this scene");
+	RNA_def_string(ot->srna, "scene", "", MAX_ID_NAME-2, "Scene", "Re-render single layer in this scene");
 }

 /* ****************************** opengl render *************************** */
--- a/source/blender/editors/screen/screen_edit.c
+++ b/source/blender/editors/screen/screen_edit.c
@ -1627,7 +1627,7 @@ ScrArea *ED_screen_full_toggle(bContext *C, wmWindow *win, ScrArea *sa)
 	}
 	else {
 		ScrArea *newa;
-		char newname[20];
+		char newname[MAX_ID_NAME-2];

 		oldscreen= win->screen;

--- a/source/blender/editors/sound/sound_ops.c
+++ b/source/blender/editors/sound/sound_ops.c
@ -219,7 +219,7 @@ static int sound_unpack_exec(bContext *C, wmOperator *op)

 	/* find the suppplied image by name */
 	if (RNA_property_is_set(op->ptr, "id")) {
-		char sndname[22];
+		char sndname[MAX_ID_NAME-2];
 		RNA_string_get(op->ptr, "id", sndname);
 		sound = BLI_findstring(&CTX_data_main(C)->sound, sndname, offsetof(ID, name) + 2);
 	}
@ -276,7 +276,7 @@ static void SOUND_OT_unpack(wmOperatorType *ot)

 	/* properties */
 	RNA_def_enum(ot->srna, "method", unpack_method_items, PF_USE_LOCAL, "Method", "How to unpack.");
-	RNA_def_string(ot->srna, "id", "", sizeof(((ID *)NULL)->name)-2, "Sound Name", "Sound datablock name to unpack."); /* XXX, weark!, will fail with library, name collisions */
+	RNA_def_string(ot->srna, "id", "", MAX_ID_NAME-2, "Sound Name", "Sound datablock name to unpack."); /* XXX, weark!, will fail with library, name collisions */
 }

 /* ******************************************************* */
--- a/source/blender/editors/space_image/image_ops.c
+++ b/source/blender/editors/space_image/image_ops.c
@ -1279,7 +1279,7 @@ static int image_new_exec(bContext *C, wmOperator *op)
 	Image *ima;
 	PointerRNA ptr, idptr;
 	PropertyRNA *prop;
-	char name[22];
+	char name[MAX_ID_NAME-2];
 	float color[4];
 	int width, height, floatbuf, uvtestgrid, alpha;

@ -1352,7 +1352,7 @@ void IMAGE_OT_new(wmOperatorType *ot)
 	ot->flag= OPTYPE_UNDO;

 	/* properties */
-	RNA_def_string(ot->srna, "name", "untitled", sizeof(((ID *)NULL)->name)-2, "Name", "Image datablock name.");
+	RNA_def_string(ot->srna, "name", "untitled", MAX_ID_NAME-2, "Name", "Image datablock name.");
 	RNA_def_int(ot->srna, "width", 1024, 1, INT_MAX, "Width", "Image width.", 1, 16384);
 	RNA_def_int(ot->srna, "height", 1024, 1, INT_MAX, "Height", "Image height.", 1, 16384);
 	prop= RNA_def_float_color(ot->srna, "color", 4, NULL, 0.0f, FLT_MAX, "Color", "Default fill color.", 0.0f, 1.0f);
@ -1538,7 +1538,7 @@ static int image_unpack_exec(bContext *C, wmOperator *op)

 	/* find the suppplied image by name */
 	if (RNA_property_is_set(op->ptr, "id")) {
-		char imaname[22];
+		char imaname[MAX_ID_NAME-2];
 		RNA_string_get(op->ptr, "id", imaname);
 		ima = BLI_findstring(&CTX_data_main(C)->image, imaname, offsetof(ID, name) + 2);
 		if (!ima) ima = CTX_data_edit_image(C);
@ -1604,7 +1604,7 @@ void IMAGE_OT_unpack(wmOperatorType *ot)
 	
 	/* properties */
 	RNA_def_enum(ot->srna, "method", unpack_method_items, PF_USE_LOCAL, "Method", "How to unpack.");
-	RNA_def_string(ot->srna, "id", "", sizeof(((ID *)NULL)->name)-2, "Image Name", "Image datablock name to unpack."); /* XXX, weark!, will fail with library, name collisions */
+	RNA_def_string(ot->srna, "id", "", MAX_ID_NAME-2, "Image Name", "Image datablock name to unpack."); /* XXX, weark!, will fail with library, name collisions */
 }

 /******************** sample image operator ********************/
--- a/source/blender/editors/space_node/drawnode.c
+++ b/source/blender/editors/space_node/drawnode.c
@ -518,7 +518,7 @@ static void node_composit_buts_renderlayers(uiLayout *layout, bContext *C, Point
 	PointerRNA scn_ptr;
 	PropertyRNA *prop;
 	const char *layer_name;
-	char scene_name[19];
+	char scene_name[MAX_ID_NAME-2];
 	
 	uiTemplateID(layout, C, ptr, "scene", NULL, NULL, NULL);
 	
--- a/source/blender/editors/space_outliner/outliner.c
+++ b/source/blender/editors/space_outliner/outliner.c
@ -5665,7 +5665,7 @@ static void outliner_buttons(const bContext *C, uiBlock *block, ARegion *ar, Spa
 				if(tselem->type==TSE_EBONE) len = sizeof(((EditBone*) 0)->name);
 				else if (tselem->type==TSE_MODIFIER) len = sizeof(((ModifierData*) 0)->name);
 				else if(tselem->id && GS(tselem->id->name)==ID_LI) len = sizeof(((Library*) 0)->name);
-				else len= sizeof(((ID*) 0)->name)-2;
+				else len= MAX_ID_NAME-2;
 				

 				dx= (int)UI_GetStringWidth(te->name);
--- a/source/blender/makesrna/intern/rna_ID.c
+++ b/source/blender/makesrna/intern/rna_ID.c
@ -443,7 +443,7 @@ static void rna_def_ID(BlenderRNA *brna)
 	prop= RNA_def_property(srna, "name", PROP_STRING, PROP_NONE);
 	RNA_def_property_ui_text(prop, "Name", "Unique datablock ID name");
 	RNA_def_property_string_funcs(prop, "rna_ID_name_get", "rna_ID_name_length", "rna_ID_name_set");
-	RNA_def_property_string_maxlength(prop, sizeof(((ID*)NULL)->name)-2);
+	RNA_def_property_string_maxlength(prop, MAX_ID_NAME-2);
 	RNA_def_property_editable_func(prop, "rna_ID_name_editable");
 	RNA_def_property_update(prop, NC_ID|NA_RENAME, NULL);
 	RNA_def_struct_name_property(srna, prop);
--- a/source/blender/makesrna/intern/rna_curve.c
+++ b/source/blender/makesrna/intern/rna_curve.c
@ -947,7 +947,7 @@ static void rna_def_font(BlenderRNA *brna, StructRNA *srna)
 	
 	/* strings */
 	prop= RNA_def_property(srna, "family", PROP_STRING, PROP_NONE);
-	RNA_def_property_string_maxlength(prop, (sizeof((ID *)NULL)->name)-2);
+	RNA_def_property_string_maxlength(prop, MAX_ID_NAME-2);
 	RNA_def_property_ui_text(prop, "Object Font", "Use Blender Objects as font characters. Give font objects a common name followed by the character it represents, eg. familya, familyb etc, and turn on Verts Duplication");
 	RNA_def_property_update(prop, 0, "rna_Curve_update_data");
 	
--- a/source/blender/python/generic/bpy_internal_import.c
+++ b/source/blender/python/generic/bpy_internal_import.c
@ -132,7 +132,7 @@ PyObject *bpy_text_import(Text *text)
 PyObject *bpy_text_import_name(char *name, int *found)
 {
 	Text *text;
-	char txtname[22]; /* 21+NULL */
+	char txtname[MAX_ID_NAME-2];
 	int namelen= strlen(name);
 //XXX	Main *maggie= bpy_import_main ? bpy_import_main:G.main;
 	Main *maggie= bpy_import_main;
@ -144,7 +144,7 @@ PyObject *bpy_text_import_name(char *name, int *found)
 		return NULL;
 	}
 	
-	if (namelen>21-3) return NULL; /* we know this cant be importable, the name is too long for blender! */
+	if (namelen >= (MAX_ID_NAME-2) - 3) return NULL; /* we know this cant be importable, the name is too long for blender! */
 	
 	memcpy(txtname, name, namelen);
 	memcpy(&txtname[namelen], ".py", 4);