fix for crash's in file selector.
authorCampbell Barton <ideasman42@gmail.com>
Sun, 21 Oct 2007 09:32:18 +0000 (09:32 +0000)
committerCampbell Barton <ideasman42@gmail.com>
Sun, 21 Oct 2007 09:32:18 +0000 (09:32 +0000)
- on unix BLI_diskfree was only using 100 chars for the dir name, and
not checking if the name given was longer, increased to FILE_MAXDIR
(160) and added a check, return -1 if its too long.

The file selector only allowed 80 chars to be typed into the directory
entry.

Made the file selector check that the path is less then FILE_MIXDIR, if
you try and enter a path thats longer it will tell you that the path is
too long, before it was writing into other memory and crashing.

source/blender/blenlib/intern/storage.c
source/blender/src/filesel.c
source/blender/src/header_filesel.c
source/blender/src/usiblender.c

index a6b91bf489d0ce13d668b08431ddb9b1c19c5e7b..1d46679cbf243e52578125bb0ac2e1ab6f5402ed 100644 (file)
@@ -180,12 +180,15 @@ double BLI_diskfree(char *dir)
        return (double) (freec*bytesps*sectorspc);
 #else
        struct statfs disk;
-       char name[100],*slash;
-
-
+       char name[FILE_MAXDIR],*slash;
+       int len = strlen(dir);
+       
+       if (len >= FILE_MAXDIR) /* path too long */
+               return -1;
+       
        strcpy(name,dir);
 
-       if(strlen(name)){
+       if(len){
                slash = strrchr(name,'/');
                if (slash) slash[1] = 0;
        } else strcpy(name,"/");
index 1bdca25a88d0fc149074c0db16140b15d0cc5ac8..d304125ca9af35d86b16426918354cf80a6d4379 100644 (file)
@@ -1039,7 +1039,7 @@ void drawfilespace(ScrArea *sa, void *spacedata)
        else loadbutton= 0;
 
        uiBlockBeginAlign(block);
-       uiDefBut(block, TEX, B_FS_DIRNAME,"",   textrct.xmin + (strp?20:0), filebuty2, textrct.xmax-textrct.xmin-loadbutton - (strp?20:0), 21, sfile->dir, 0.0, (float)FILE_MAXFILE-1, 0, 0, "Directory, enter a directory and press enter to create it"); /* Directory input */
+       uiDefBut(block, TEX, B_FS_DIRNAME,"",   textrct.xmin + (strp?20:0), filebuty2, textrct.xmax-textrct.xmin-loadbutton - (strp?20:0), 21, sfile->dir, 0.0, (float)FILE_MAXDIR-1, 0, 0, "Directory, enter a directory and press enter to create it"); /* Directory input */
        if(loadbutton) {
                uiSetCurFont(block, UI_HELV);
                uiDefBut(block, BUT, B_FS_LOAD, sfile->title,   textrct.xmax-loadbutton, filebuty2, loadbutton, 21, sfile->dir, 0.0, (float)FILE_MAXFILE-1, 0, 0, "");
@@ -1833,12 +1833,20 @@ void winqreadfilespace(ScrArea *sa, void *spacedata, BWinEvent *evt)
                                
                                if(act>=0 && act<sfile->totfile) {
                                        if(S_ISDIR(sfile->filelist[act].type)) {
-                                               strcat(sfile->dir, sfile->filelist[act].relname);
-                                               strcat(sfile->dir,"/");
-                                               BLI_cleanup_dir(G.sce, sfile->dir);
-                                               freefilelist(sfile);                                            
-                                               sfile->ofs= 0;
-                                               do_draw= 1;
+                                               /* the path is too long and we are not going up! */
+                                               if (strcmp(sfile->filelist[act].relname, ".") &&
+                                                       strcmp(sfile->filelist[act].relname, "..") &&
+                                                       strlen(sfile->dir) + strlen(sfile->filelist[act].relname) >= FILE_MAXDIR ) 
+                                               {
+                                                       error("Path too long, cannot enter this directory");
+                                               } else {
+                                                       strcat(sfile->dir, sfile->filelist[act].relname);
+                                                       strcat(sfile->dir,"/");
+                                                       BLI_cleanup_dir(G.sce, sfile->dir);
+                                                       freefilelist(sfile);                                            
+                                                       sfile->ofs= 0;
+                                                       do_draw= 1;
+                                               }
                                        }
                                        else {
                                                if( strcmp(sfile->file, sfile->filelist[act].relname)) {
index 8ef4ed9dc249de57325be4b502755e85287eef11..999fa2733afd348ba50c2cdea32028f35be1cd46 100644 (file)
@@ -188,7 +188,7 @@ void file_buttons(void)
        
                BIF_DrawString(G.font, naam, 0);
        }
-       
+
        /* always do as last */
        curarea->headbutlen= xco+2*XIC;
 }
index 8f43742fe286fa5327ce86d5abc7683abe6bc7ac..8b6cd987cf88fa216be82a12ad5ad13484ab6860 100644 (file)
@@ -745,11 +745,17 @@ static void do_history(char *name)
 void BIF_write_file(char *target)
 {
        Library *li;
-       int writeflags;
-       char di[FILE_MAXDIR];
+       int writeflags, len;
+       char di[FILE_MAX];
        char *err;
        
-       if (BLI_streq(target, "")) return;
+       len = strlen(target);
+       
+       if (len == 0) return;
+       if (len >= FILE_MAX) {
+               error("Path too long, cannot save");
+               return;
+       }
  
        /* send the OnSave event */
        if (G.f & G_DOSCRIPTLINKS) BPY_do_pyscript(&G.scene->id, SCRIPT_ONSAVE);
@@ -761,7 +767,7 @@ void BIF_write_file(char *target)
                }
        }
        
-       if (!BLO_has_bfile_extension(target)) {
+       if (!BLO_has_bfile_extension(target) && (len+6 < FILE_MAX)) {
                sprintf(di, "%s.blend", target);
        } else {
                strcpy(di, target);