Some strings to store ID names were too small, could cause stack corruption.
authorCampbell Barton <ideasman42@gmail.com>
Tue, 19 Apr 2011 06:59:49 +0000 (06:59 +0000)
committerCampbell Barton <ideasman42@gmail.com>
Tue, 19 Apr 2011 06:59:49 +0000 (06:59 +0000)
corrected these and replaced 'sizeof(((ID *)NULL)->name)-2' with 'MAX_ID_NAME-2'.

13 files changed:
source/blender/blenkernel/intern/library.c
source/blender/editors/interface/interface.c
source/blender/editors/interface/interface_utils.c
source/blender/editors/object/object_relations.c
source/blender/editors/render/render_internal.c
source/blender/editors/screen/screen_edit.c
source/blender/editors/sound/sound_ops.c
source/blender/editors/space_image/image_ops.c
source/blender/editors/space_node/drawnode.c
source/blender/editors/space_outliner/outliner.c
source/blender/makesrna/intern/rna_ID.c
source/blender/makesrna/intern/rna_curve.c
source/blender/python/generic/bpy_internal_import.c

index b2e0bb20f555ecf3a1c3c659d1490c9bfb8e0cf6..e2d64a78c1891051fd7a1c2438ea2c2bb2a50d0d 100644 (file)
@@ -1157,7 +1157,7 @@ static int check_for_dupid(ListBase *lb, ID *id, char *name)
 int new_id(ListBase *lb, ID *id, const char *tname)
 {
        int result;
-       char name[22];
+       char name[MAX_ID_NAME-2];
 
        /* if library, don't rename */
        if(id->lib) return 0;
index 29e8bf756f3b9366d935b27e55aa73eb36a54c0f..1495d2b00ba269184b519e8ca2088ee728c38173 100644 (file)
@@ -1390,7 +1390,7 @@ int ui_get_but_string_max_length(uiBut *but)
        if(ELEM(but->type, TEX, SEARCH_MENU))
                return but->hardmax;
        else if(but->type == IDPOIN)
-               return sizeof(((ID*)NULL)->name)-2;
+               return MAX_ID_NAME-2;
        else
                return UI_MAX_DRAW_STR;
 }
index f22c8eb4bfe609988bec3ae9444fb89607ab9b51..1ec125c2f2656923443b0c0e07d3eed571b935dc 100644 (file)
@@ -52,7 +52,7 @@ uiBut *uiDefAutoButR(uiBlock *block, PointerRNA *ptr, PropertyRNA *prop, int ind
 {
        uiBut *but=NULL;
        const char *propname= RNA_property_identifier(prop);
-       char prop_item[sizeof(((IDProperty *)NULL)->name)+4]; /* size of the ID prop name + room for [""] */
+       char prop_item[MAX_IDPROP_NAME+4]; /* size of the ID prop name + room for [""] */
        int arraylen= RNA_property_array_length(ptr, prop);
 
        /* support for custom props */
index 42f858d37a6336c2df73bbdd0d3323b133da0d7e..086d458f3e0808e209943a129022bd968186c26b 100644 (file)
@@ -402,7 +402,7 @@ void OBJECT_OT_proxy_make (wmOperatorType *ot)
        ot->flag= OPTYPE_REGISTER|OPTYPE_UNDO;
        
        /* properties */
-       RNA_def_string(ot->srna, "object", "", sizeof(((ID *)NULL)->name)-2, "Proxy Object", "Name of lib-linked/grouped object to make a proxy for.");
+       RNA_def_string(ot->srna, "object", "", MAX_ID_NAME-2, "Proxy Object", "Name of lib-linked/grouped object to make a proxy for.");
        prop= RNA_def_enum(ot->srna, "type", DummyRNA_DEFAULT_items, 0, "Type", "Group object"); /* XXX, relies on hard coded ID at the moment */
        RNA_def_enum_funcs(prop, proxy_group_object_itemf);
        ot->prop= prop;
index 71c88ae9e8f419dfa3684badac6e080a06713318..ce434413a5f2778b077c2273db6b9f521d3b625f 100644 (file)
@@ -736,7 +736,7 @@ static int screen_render_invoke(bContext *C, wmOperator *op, wmEvent *event)
        if(RNA_property_is_set(op->ptr, "layer")) {
                SceneRenderLayer *rl;
                Scene *scn;
-               char scene_name[19], rl_name[RE_MAXNAME];
+               char scene_name[MAX_ID_NAME-2], rl_name[RE_MAXNAME];
 
                RNA_string_get(op->ptr, "layer", rl_name);
                RNA_string_get(op->ptr, "scene", scene_name);
@@ -828,7 +828,7 @@ void RENDER_OT_render(wmOperatorType *ot)
        RNA_def_boolean(ot->srna, "animation", 0, "Animation", "Render files from the animation range of this scene");
        RNA_def_boolean(ot->srna, "write_still", 0, "Write Image", "Save rendered the image to the output path (used only when animation is disabled)");
        RNA_def_string(ot->srna, "layer", "", RE_MAXNAME, "Render Layer", "Single render layer to re-render");
-       RNA_def_string(ot->srna, "scene", "", sizeof(((ID *)NULL)->name)-2, "Scene", "Re-render single layer in this scene");
+       RNA_def_string(ot->srna, "scene", "", MAX_ID_NAME-2, "Scene", "Re-render single layer in this scene");
 }
 
 /* ****************************** opengl render *************************** */
index 39da86b196249a2c212cdce9090c5d82eb062ef6..a0a2ede11ef28ce12efa7b8c2f2324f2ece79227 100644 (file)
@@ -1627,7 +1627,7 @@ ScrArea *ED_screen_full_toggle(bContext *C, wmWindow *win, ScrArea *sa)
        }
        else {
                ScrArea *newa;
-               char newname[20];
+               char newname[MAX_ID_NAME-2];
 
                oldscreen= win->screen;
 
index 7a5495208bf7aa08296c66f818fb7cc1b67689cc..3716baad474278dd16a80ca4e4d55a7ed84b351a 100644 (file)
@@ -219,7 +219,7 @@ static int sound_unpack_exec(bContext *C, wmOperator *op)
 
        /* find the suppplied image by name */
        if (RNA_property_is_set(op->ptr, "id")) {
-               char sndname[22];
+               char sndname[MAX_ID_NAME-2];
                RNA_string_get(op->ptr, "id", sndname);
                sound = BLI_findstring(&CTX_data_main(C)->sound, sndname, offsetof(ID, name) + 2);
        }
@@ -276,7 +276,7 @@ static void SOUND_OT_unpack(wmOperatorType *ot)
 
        /* properties */
        RNA_def_enum(ot->srna, "method", unpack_method_items, PF_USE_LOCAL, "Method", "How to unpack.");
-       RNA_def_string(ot->srna, "id", "", sizeof(((ID *)NULL)->name)-2, "Sound Name", "Sound datablock name to unpack."); /* XXX, weark!, will fail with library, name collisions */
+       RNA_def_string(ot->srna, "id", "", MAX_ID_NAME-2, "Sound Name", "Sound datablock name to unpack."); /* XXX, weark!, will fail with library, name collisions */
 }
 
 /* ******************************************************* */
index a092895c39e44ec2e4b8419983c0e75e76a572ef..9cea8d4f220db88beef840afa99bcbc7425a52d3 100644 (file)
@@ -1279,7 +1279,7 @@ static int image_new_exec(bContext *C, wmOperator *op)
        Image *ima;
        PointerRNA ptr, idptr;
        PropertyRNA *prop;
-       char name[22];
+       char name[MAX_ID_NAME-2];
        float color[4];
        int width, height, floatbuf, uvtestgrid, alpha;
 
@@ -1352,7 +1352,7 @@ void IMAGE_OT_new(wmOperatorType *ot)
        ot->flag= OPTYPE_UNDO;
 
        /* properties */
-       RNA_def_string(ot->srna, "name", "untitled", sizeof(((ID *)NULL)->name)-2, "Name", "Image datablock name.");
+       RNA_def_string(ot->srna, "name", "untitled", MAX_ID_NAME-2, "Name", "Image datablock name.");
        RNA_def_int(ot->srna, "width", 1024, 1, INT_MAX, "Width", "Image width.", 1, 16384);
        RNA_def_int(ot->srna, "height", 1024, 1, INT_MAX, "Height", "Image height.", 1, 16384);
        prop= RNA_def_float_color(ot->srna, "color", 4, NULL, 0.0f, FLT_MAX, "Color", "Default fill color.", 0.0f, 1.0f);
@@ -1538,7 +1538,7 @@ static int image_unpack_exec(bContext *C, wmOperator *op)
 
        /* find the suppplied image by name */
        if (RNA_property_is_set(op->ptr, "id")) {
-               char imaname[22];
+               char imaname[MAX_ID_NAME-2];
                RNA_string_get(op->ptr, "id", imaname);
                ima = BLI_findstring(&CTX_data_main(C)->image, imaname, offsetof(ID, name) + 2);
                if (!ima) ima = CTX_data_edit_image(C);
@@ -1604,7 +1604,7 @@ void IMAGE_OT_unpack(wmOperatorType *ot)
        
        /* properties */
        RNA_def_enum(ot->srna, "method", unpack_method_items, PF_USE_LOCAL, "Method", "How to unpack.");
-       RNA_def_string(ot->srna, "id", "", sizeof(((ID *)NULL)->name)-2, "Image Name", "Image datablock name to unpack."); /* XXX, weark!, will fail with library, name collisions */
+       RNA_def_string(ot->srna, "id", "", MAX_ID_NAME-2, "Image Name", "Image datablock name to unpack."); /* XXX, weark!, will fail with library, name collisions */
 }
 
 /******************** sample image operator ********************/
index ff135fbe46446a7f9fb6751fed6e301985a7c26e..ba15e47ba0410f3ed9eb4b258df34549eff54d3b 100644 (file)
@@ -518,7 +518,7 @@ static void node_composit_buts_renderlayers(uiLayout *layout, bContext *C, Point
        PointerRNA scn_ptr;
        PropertyRNA *prop;
        const char *layer_name;
-       char scene_name[19];
+       char scene_name[MAX_ID_NAME-2];
        
        uiTemplateID(layout, C, ptr, "scene", NULL, NULL, NULL);
        
index 765cd360f96ec069f9713702c69d4dc47a675f4f..ed26440d37db38b980d515bed75be5e1c95996cf 100644 (file)
@@ -5665,7 +5665,7 @@ static void outliner_buttons(const bContext *C, uiBlock *block, ARegion *ar, Spa
                                if(tselem->type==TSE_EBONE) len = sizeof(((EditBone*) 0)->name);
                                else if (tselem->type==TSE_MODIFIER) len = sizeof(((ModifierData*) 0)->name);
                                else if(tselem->id && GS(tselem->id->name)==ID_LI) len = sizeof(((Library*) 0)->name);
-                               else len= sizeof(((ID*) 0)->name)-2;
+                               else len= MAX_ID_NAME-2;
                                
 
                                dx= (int)UI_GetStringWidth(te->name);
index ae62ef55c0137249db378cce9b3f5a641773ebcf..bde7c99c7dfadf1051192e4a153991888b44a8d7 100644 (file)
@@ -443,7 +443,7 @@ static void rna_def_ID(BlenderRNA *brna)
        prop= RNA_def_property(srna, "name", PROP_STRING, PROP_NONE);
        RNA_def_property_ui_text(prop, "Name", "Unique datablock ID name");
        RNA_def_property_string_funcs(prop, "rna_ID_name_get", "rna_ID_name_length", "rna_ID_name_set");
-       RNA_def_property_string_maxlength(prop, sizeof(((ID*)NULL)->name)-2);
+       RNA_def_property_string_maxlength(prop, MAX_ID_NAME-2);
        RNA_def_property_editable_func(prop, "rna_ID_name_editable");
        RNA_def_property_update(prop, NC_ID|NA_RENAME, NULL);
        RNA_def_struct_name_property(srna, prop);
index ec0f92776535a7e051ee4f697b10682bd396dc42..ec640531fa051e91d66a5bf7f40a2d5a16500eac 100644 (file)
@@ -947,7 +947,7 @@ static void rna_def_font(BlenderRNA *brna, StructRNA *srna)
        
        /* strings */
        prop= RNA_def_property(srna, "family", PROP_STRING, PROP_NONE);
-       RNA_def_property_string_maxlength(prop, (sizeof((ID *)NULL)->name)-2);
+       RNA_def_property_string_maxlength(prop, MAX_ID_NAME-2);
        RNA_def_property_ui_text(prop, "Object Font", "Use Blender Objects as font characters. Give font objects a common name followed by the character it represents, eg. familya, familyb etc, and turn on Verts Duplication");
        RNA_def_property_update(prop, 0, "rna_Curve_update_data");
        
index 0ea4e083e3e6251930d2dbe496a01d0de292df21..f2514af20b4911184689493f354e3654f334fe23 100644 (file)
@@ -132,7 +132,7 @@ PyObject *bpy_text_import(Text *text)
 PyObject *bpy_text_import_name(char *name, int *found)
 {
        Text *text;
-       char txtname[22]; /* 21+NULL */
+       char txtname[MAX_ID_NAME-2];
        int namelen= strlen(name);
 //XXX  Main *maggie= bpy_import_main ? bpy_import_main:G.main;
        Main *maggie= bpy_import_main;
@@ -144,7 +144,7 @@ PyObject *bpy_text_import_name(char *name, int *found)
                return NULL;
        }
        
-       if (namelen>21-3) return NULL; /* we know this cant be importable, the name is too long for blender! */
+       if (namelen >= (MAX_ID_NAME-2) - 3) return NULL; /* we know this cant be importable, the name is too long for blender! */
        
        memcpy(txtname, name, namelen);
        memcpy(&txtname[namelen], ".py", 4);