fix for buffer overrun crash with saving scene name longer then 24 characters.
authorCampbell Barton <ideasman42@gmail.com>
Thu, 26 Apr 2012 04:03:25 +0000 (04:03 +0000)
committerCampbell Barton <ideasman42@gmail.com>
Thu, 26 Apr 2012 04:03:25 +0000 (04:03 +0000)
writing render info would try write= 64 length string into 24 length buffer.

updated py script to extract render info too.

release/scripts/modules/blend_render_info.py
source/blender/blenloader/intern/writefile.c

index 7c30b480d6b86f6c17bd51075579bf83c382dcef..5a09f6646373d5f450e3b1af44808706cd90f0da 100755 (executable)
@@ -75,7 +75,7 @@ def read_blend_rend_chunk(path):
         # Now we want the scene name, start and end frame. this is 32bites long
         start_frame, end_frame = struct.unpack('>2i' if is_big_endian else '<2i', blendfile.read(8))
 
-        scene_name = blendfile.read(24)
+        scene_name = blendfile.read(64)
 
         scene_name = scene_name[:scene_name.index(b'\0')]
 
index 0f2990a9157d12a419efb8d1ee9834167898fd6a..61969c7878aa2951a28cb23a8c8d4b5b4e217ab2 100644 (file)
@@ -757,24 +757,30 @@ static void current_screen_compat(Main *mainvar, bScreen **screen)
        *screen= (window)? window->screen: NULL;
 }
 
+typedef struct RenderInfo {
+       int sfra;
+       int efra;
+       char scene_name[MAX_ID_NAME - 2];
+} RenderInfo;
+
 static void write_renderinfo(WriteData *wd, Main *mainvar)             /* for renderdeamon */
 {
        bScreen *curscreen;
        Scene *sce;
-       int data[8];
+       RenderInfo data;
 
        /* XXX in future, handle multiple windows with multiple screnes? */
        current_screen_compat(mainvar, &curscreen);
 
        for (sce= mainvar->scene.first; sce; sce= sce->id.next) {
                if (sce->id.lib==NULL  && ( sce==curscreen->scene || (sce->r.scemode & R_BG_RENDER)) ) {
-                       data[0]= sce->r.sfra;
-                       data[1]= sce->r.efra;
+                       data.sfra = sce->r.sfra;
+                       data.efra = sce->r.efra;
+                       memset(data.scene_name, 0, sizeof(data.scene_name));
 
-                       memset(data+2, 0, sizeof(int)*6);
-                       BLI_strncpy((char *)(data+2), sce->id.name+2, sizeof(sce->id.name)-2);
+                       BLI_strncpy(data.scene_name, sce->id.name + 2, sizeof(data.scene_name));
 
-                       writedata(wd, REND, 32, data);
+                       writedata(wd, REND, sizeof(data), &data);
                }
        }
 }