search

tysonbrochu / eltopo

http://www.cs.ubc.ca/labs/imager/tr/2009/eltopo/eltopo.html
BSD 2-Clause "Simplified" License
125 stars 37 forks source link

Buffer overflows in ObjLoader.cpp #2

Closed tysonbrochu closed 9 years ago

tysonbrochu commented 12 years ago

There are multiple buffer overflows in the blender's external library eltopo in ObjLoader.cpp file. I have attached a report from flawfinder. I didn't check them all but there are several of them that are pretty obvious, for instance in line 349:

char* dir; char* filename; char buf[128]; ----> line 330 GLuint nummaterials, i;

dir = glmDirName(model->pathname); filename = (char)malloc(sizeof(char) \ (strlen(dir) + strlen(name) + 1)); strcpy(filename, dir); strcat(filename, name); free(dir);

file = fopen(filename, "r"); if (!file) { fprintf(stderr, "glmReadMTL() failed: can't open material file \"%s\".\n", filename); exit(1); } free(filename);

/* count the number of materials in the file / nummaterials = 1; while(fscanf(file, "%s", buf) != EOF) { ------> line 349 switch(buf[0]) { case '#': / comment / / eat up rest of line / fgets(buf, sizeof(buf), file); break; case 'n': / newmtl */ fgets(buf, sizeof(buf), file); nummaterials++; sscanf(buf, "%s %s", buf, buf); break;

If a very long string is read from a OBJ file it can overwrite buf in line 330, which could lead even to arbitrary code execution with a specially crafted OBJ file.

tysonbrochu commented 12 years ago

blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:335: 4 strcpy: Does not check for buffer overflows when copying to destination. Consider using strncpy or strlcpy (warning, strncpy is easily misused). blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:336: 4 strcat: Does not check for buffer overflows when concatenating to destination. Consider using strncat or strlcat (warning, strncat is easily misused). blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:349: 4 fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:358: 4 sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:393: 4 fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:401: 4 sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:415: 4 sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:472: 4 strcpy: Does not check for buffer overflows when copying to destination. Consider using strncpy or strlcpy (warning, strncpy is easily misused). blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:473: 4 strcat: Does not check for buffer overflows when concatenating to destination. Consider using strncat or strlcat (warning, strncat is easily misused). blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:531: 4 fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:562: 4 sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:574: 4 sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:582: 4 fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:682: 4 fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:714: 4 sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:721: 4 sscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:730: 4 fscanf: The scanf() family's %s operation, without a limit specification, permits buffer overflows. Specify a limit to %s, or use a different input function. blender-2.63/extern/eltopo/common/meshes/ObjLoader.cpp:2185: 4 strcpy: Does not check for buffer overflows when copying to destination. Consider using strncpy or strlcpy (warning, strncpy is easily misused). blender-2.63/extern/eltopo/common/tunicate/expansion.cpp:460: 4 strcat: Does not check for buffer overflows when concatenating to destination. Consider using strncat or strlcat (warning, strncat is easily misused).

tysonbrochu commented 9 years ago

File no longer exists. No scanf()s with %s should be in the project now.