iceflower/speed-dreams-code
1
0
Fork 0
forked from speed-dreams/speed-dreams-code
Code Pull requests Activity

fix buffer overflow from using wrong array element size

Browse source 
git-svn-id: https://svn.code.sf.net/p/speed-dreams/code/trunk@7139 30fe4595-0a0c-4342-8851-515496e4dcbd

Former-commit-id: c189cc7a807b21374e6c6b0f43b9a2aafeaf8276
Former-commit-id: 025852dc3c0c9fa6f96227f0ab612af15e8b135b
This commit is contained in:
iobyte 2020-06-11 13:31:27 +00:00
parent 7434f6079f
commit bdd4d56678
1 changed files with 14 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
src/tools/accc/ac3dload.cpp
View file

@ -155,7 +155,7 @@ void copyTexCoordToTextArray(double * textarray, tcoord_t * texcoord)
void obCreateTextArrays(ob_t * ob) void obCreateTextArrays(ob_t * ob)
{ {
const int numEls = ob->numvertice * 2; const int numEls = ob->numvertice * 2;
const int elSize = sizeof(tcoord_t); const int elSize = sizeof(double);
if(ob->vertexarray) if(ob->vertexarray)
ob->textarray = (double *) calloc(numEls, elSize); ob->textarray = (double *) calloc(numEls, elSize);
@ -4755,10 +4755,10 @@ ob_t * mergeObject(ob_t *ob1, ob_t * ob2, char * nameS)
tobS->vertex = (point_t*) malloc(sizeof(point_t) * numtri * 3); tobS->vertex = (point_t*) malloc(sizeof(point_t) * numtri * 3);
memset(tobS->snorm, 0, sizeof(point_t) * numtri * 3); memset(tobS->snorm, 0, sizeof(point_t) * numtri * 3);
memset(tobS->norm, 0, sizeof(point_t) * numtri * 3); memset(tobS->norm, 0, sizeof(point_t) * numtri * 3);
tobS->textarray = (double *) malloc(sizeof(tcoord_t) * numtri * 2 * 3); tobS->textarray = (double *) malloc(sizeof(double) * numtri * 2 * 3);
tobS->textarray1 = (double *) malloc(sizeof(tcoord_t) * numtri * 2 * 3); tobS->textarray1 = (double *) malloc(sizeof(double) * numtri * 2 * 3);
tobS->textarray2 = (double *) malloc(sizeof(tcoord_t) * numtri * 2 * 3); tobS->textarray2 = (double *) malloc(sizeof(double) * numtri * 2 * 3);
tobS->textarray3 = (double *) malloc(sizeof(tcoord_t) * numtri * 2 * 3); tobS->textarray3 = (double *) malloc(sizeof(double) * numtri * 2 * 3);
tobS->attrSurf = ob1->attrSurf; tobS->attrSurf = ob1->attrSurf;
tobS->attrMat = ob1->attrMat; tobS->attrMat = ob1->attrMat;
tobS->name = (char *) malloc(strlen(nameS) + 1); tobS->name = (char *) malloc(strlen(nameS) + 1);
@ -4770,24 +4770,24 @@ ob_t * mergeObject(ob_t *ob1, ob_t * ob2, char * nameS)
memcpy(tobS->vertexarray, ob1->vertexarray, memcpy(tobS->vertexarray, ob1->vertexarray,
ob1->numsurf * sizeof(tcoord_t) * 3); ob1->numsurf * sizeof(tcoord_t) * 3);
memcpy(tobS->textarray, ob1->textarray, memcpy(tobS->textarray, ob1->textarray,
ob1->numvert * sizeof(tcoord_t) * 2); ob1->numvert * sizeof(double) * 2);
memcpy(tobS->norm, ob1->norm, ob1->numvert * sizeof(point_t)); memcpy(tobS->norm, ob1->norm, ob1->numvert * sizeof(point_t));
memcpy(tobS->snorm, ob1->snorm, ob1->numvert * sizeof(point_t)); memcpy(tobS->snorm, ob1->snorm, ob1->numvert * sizeof(point_t));
if (ob1->texture1) if (ob1->texture1)
{ {
memcpy(tobS->textarray1, ob1->textarray1, memcpy(tobS->textarray1, ob1->textarray1,
ob1->numvert * 2 * sizeof(tcoord_t)); ob1->numvert * 2 * sizeof(double));
} }
if (ob1->texture2) if (ob1->texture2)
{ {
memcpy(tobS->textarray2, ob1->textarray2, memcpy(tobS->textarray2, ob1->textarray2,
ob1->numvert * 2 * sizeof(tcoord_t)); ob1->numvert * 2 * sizeof(double));
} }
if (ob1->texture3) if (ob1->texture3)
{ {
memcpy(tobS->textarray3, ob1->textarray3, memcpy(tobS->textarray3, ob1->textarray3,
ob1->numvert * 2 * sizeof(tcoord_t)); ob1->numvert * 2 * sizeof(double));
} }
n = ob1->numvert; n = ob1->numvert;
@ -5015,7 +5015,7 @@ int mergeSplitted(ob_t **object)
tobS->vertex=(point_t*)malloc(sizeof(point_t)*numtri*3); tobS->vertex=(point_t*)malloc(sizeof(point_t)*numtri*3);
memset(tobS->snorm,0,sizeof(point_t )*numtri*3); memset(tobS->snorm,0,sizeof(point_t )*numtri*3);
memset(tobS->norm,0,sizeof(point_t )*numtri*3); memset(tobS->norm,0,sizeof(point_t )*numtri*3);
tobS->textarray=(double *) malloc(sizeof(tcoord_t)* numtri*2*3); tobS->textarray=(double *) malloc(sizeof(double)* numtri*2*3);
tobS->attrSurf=tob->attrSurf; tobS->attrSurf=tob->attrSurf;
tobS->attrMat=tob->attrMat; tobS->attrMat=tob->attrMat;
tobS->name=(char *) malloc(strlen(nameS)+1); tobS->name=(char *) malloc(strlen(nameS)+1);
@ -5025,23 +5025,23 @@ int mergeSplitted(ob_t **object)
memcpy(tobS->vertex, tob->vertex,tob->numvert*sizeof(point_t)); memcpy(tobS->vertex, tob->vertex,tob->numvert*sizeof(point_t));
memcpy(tobS->vertexarray, tob->vertexarray,tob->numsurf*sizeof(tcoord_t )); memcpy(tobS->vertexarray, tob->vertexarray,tob->numsurf*sizeof(tcoord_t ));
memcpy(tobS->textarray, tob->textarray,tob->numvert*sizeof(tcoord_t )*2); memcpy(tobS->textarray, tob->textarray,tob->numvert*sizeof(double)*2);
if (tob->texture1) if (tob->texture1)
{ {
memcpy(tobS->textarray1, tob->textarray1,tob->numvert*2*sizeof(tcoord_t )); memcpy(tobS->textarray1, tob->textarray1,tob->numvert*2*sizeof(double));
memcpy(tobS->vertexarray1, tob->vertexarray1,tob->numsurf*sizeof(tcoord_t )); memcpy(tobS->vertexarray1, tob->vertexarray1,tob->numsurf*sizeof(tcoord_t ));
tobS->texture1=strdup(tob->texture1); tobS->texture1=strdup(tob->texture1);
} }
if (tob->texture2) if (tob->texture2)
{ {
memcpy(tobS->textarray2, tob->textarray2,tob->numvert*2*sizeof(tcoord_t )); memcpy(tobS->textarray2, tob->textarray2,tob->numvert*2*sizeof(double));
memcpy(tobS->vertexarray2, tob->vertexarray2,tob->numsurf*sizeof(tcoord_t )); memcpy(tobS->vertexarray2, tob->vertexarray2,tob->numsurf*sizeof(tcoord_t ));
tobS->texture2=strdup(tob->texture2); tobS->texture2=strdup(tob->texture2);
} }
if (tob->texture3) if (tob->texture3)
{ {
memcpy(tobS->textarray3, tob->textarray3,tob->numvert*2*sizeof(tcoord_t )); memcpy(tobS->textarray3, tob->textarray3,tob->numvert*2*sizeof(double));
memcpy(tobS->vertexarray3, tob->vertexarray3,tob->numsurf*sizeof(tcoord_t )); memcpy(tobS->vertexarray3, tob->vertexarray3,tob->numsurf*sizeof(tcoord_t ));
tobS->texture3=strdup(tob->texture3); tobS->texture3=strdup(tob->texture3);
} }