From 0108d5b1f9deeabed41edf47ab67f9e9031f5d0f Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Tue, 27 Jan 2015 23:47:22 +0200 Subject: [PATCH] Fix read past end of buffer on malformed LWOB files --- code/LWOBLoader.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/code/LWOBLoader.cpp b/code/LWOBLoader.cpp index cdbd9695f..6c9b0560a 100644 --- a/code/LWOBLoader.cpp +++ b/code/LWOBLoader.cpp @@ -139,7 +139,15 @@ void LWOImporter::CountVertsAndFacesLWOB(unsigned int& verts, unsigned int& face while (cursor < end && max--) { uint16_t numIndices; + // must have 2 shorts left for numIndices and surface + if (end - cursor < 2) { + throw DeadlyImportError("LWOB: Unexpected end of file"); + } ::memcpy(&numIndices, cursor++, 2); + // must have enough left for indices and surface + if (end - cursor < (1 + numIndices)) { + throw DeadlyImportError("LWOB: Unexpected end of file"); + } verts += numIndices; faces++; cursor += numIndices;