From f167fe1d4a3550e7c803db0105251595d879a518 Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Mon, 26 Jan 2015 13:31:04 +0200 Subject: [PATCH 1/9] Ignore unix editor backup files --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 55995220d..0ec07fc21 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,6 @@ test/gtest/src/gtest-stamp/Debug/gtest-build *.lib test/gtest/src/gtest-stamp/Debug/ tools/assimp_view/assimp_viewer.vcxproj.user + +# Unix editor backups +*~ From c5d048a98a750b68e2ddf488b0691cdc326e3fe8 Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Mon, 26 Jan 2015 12:38:30 +0200 Subject: [PATCH 2/9] Fix crash when 3DS file contains faces but no vertices --- code/3DSLoader.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/code/3DSLoader.cpp b/code/3DSLoader.cpp index 4f5614a00..1f2235229 100644 --- a/code/3DSLoader.cpp +++ b/code/3DSLoader.cpp @@ -175,6 +175,10 @@ void Discreet3DSImporter::InternReadFile( const std::string& pFile, // file. for (std::vector::iterator i = mScene->mMeshes.begin(), end = mScene->mMeshes.end(); i != end;++i) { + if ((*i).mFaces.size() > 0 && (*i).mPositions.size() == 0) { + delete mScene; + throw DeadlyImportError("3DS file contains faces but no vertices: " + pFile); + } CheckIndices(*i); MakeUnique (*i); ComputeNormalsWithSmoothingsGroups(*i); From 2f0675ac53d9fef9d6b80be4a7189704fd9aeff8 Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Mon, 26 Jan 2015 13:27:48 +0200 Subject: [PATCH 3/9] Fix memory corruption when 3DS file has more smoothing groups than faces --- code/3DSLoader.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code/3DSLoader.cpp b/code/3DSLoader.cpp index 1f2235229..6a51fb84f 100644 --- a/code/3DSLoader.cpp +++ b/code/3DSLoader.cpp @@ -948,6 +948,9 @@ void Discreet3DSImporter::ParseFaceChunk() // This is the list of smoothing groups - a bitfield for every face. // Up to 32 smoothing groups assigned to a single face. unsigned int num = chunkSize/4, m = 0; + if (num > mMesh.mFaces.size()) { + throw DeadlyImportError("3DS: More smoothing groups than faces"); + } for (std::vector::iterator i = mMesh.mFaces.begin(); m != num;++i, ++m) { // nth bit is set for nth smoothing group (*i).iSmoothGroup = stream->GetI4(); From af09e68654dc6a32fafe7e3192e5dea297031062 Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Mon, 26 Jan 2015 14:23:07 +0200 Subject: [PATCH 4/9] Fix memory corruption when LWO file contains bad-sized points chunk --- code/LWOLoader.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code/LWOLoader.cpp b/code/LWOLoader.cpp index 14a9f261f..355e21298 100644 --- a/code/LWOLoader.cpp +++ b/code/LWOLoader.cpp @@ -730,6 +730,11 @@ void LWOImporter::LoadLWOPoints(unsigned int length) // --- this function is used for both LWO2 and LWOB but for // LWO2 we need to allocate 25% more storage - it could be we'll // need to duplicate some points later. + const size_t vertexLen = 12; + if ((length % vertexLen) != 0) + { + throw DeadlyImportError( "LWO2: Points chunk length is not multiple of vertexLen (12)"); + } register unsigned int regularSize = (unsigned int)mCurLayer->mTempPoints.size() + length / 12; if (mIsLWO2) { From 16f9ca35d2ee5e6817bae367e7fb264d0884532b Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Mon, 26 Jan 2015 15:05:18 +0200 Subject: [PATCH 5/9] Fix out-of-bounds read when OFF file contains no vertices --- code/OFFLoader.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/code/OFFLoader.cpp b/code/OFFLoader.cpp index 23a1815c3..ca440a458 100644 --- a/code/OFFLoader.cpp +++ b/code/OFFLoader.cpp @@ -127,6 +127,13 @@ void OFFImporter::InternReadFile( const std::string& pFile, const unsigned int numVertices = strtoul10(sz,&sz);SkipSpaces(&sz); const unsigned int numFaces = strtoul10(sz,&sz); + if (!numVertices) { + throw DeadlyImportError("OFF: There are no valid vertices"); + } + if (!numFaces) { + throw DeadlyImportError("OFF: There are no valid faces"); + } + pScene->mMeshes = new aiMesh*[ pScene->mNumMeshes = 1 ]; aiMesh* mesh = pScene->mMeshes[0] = new aiMesh(); aiFace* faces = mesh->mFaces = new aiFace [mesh->mNumFaces = numFaces]; From 0108d5b1f9deeabed41edf47ab67f9e9031f5d0f Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Tue, 27 Jan 2015 23:47:22 +0200 Subject: [PATCH 6/9] Fix read past end of buffer on malformed LWOB files --- code/LWOBLoader.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/code/LWOBLoader.cpp b/code/LWOBLoader.cpp index cdbd9695f..6c9b0560a 100644 --- a/code/LWOBLoader.cpp +++ b/code/LWOBLoader.cpp @@ -139,7 +139,15 @@ void LWOImporter::CountVertsAndFacesLWOB(unsigned int& verts, unsigned int& face while (cursor < end && max--) { uint16_t numIndices; + // must have 2 shorts left for numIndices and surface + if (end - cursor < 2) { + throw DeadlyImportError("LWOB: Unexpected end of file"); + } ::memcpy(&numIndices, cursor++, 2); + // must have enough left for indices and surface + if (end - cursor < (1 + numIndices)) { + throw DeadlyImportError("LWOB: Unexpected end of file"); + } verts += numIndices; faces++; cursor += numIndices; From 95ad8272772ef1555da29649cf0e5ce6bb6c8a43 Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Wed, 28 Jan 2015 00:44:26 +0200 Subject: [PATCH 7/9] Remove bogus delete[] on error path mBuffer is a pointer inside a std::vector so don't try to delete[] it. --- code/PlyLoader.cpp | 1 - 1 file changed, 1 deletion(-) diff --git a/code/PlyLoader.cpp b/code/PlyLoader.cpp index 104e194d9..d61c4e5a7 100644 --- a/code/PlyLoader.cpp +++ b/code/PlyLoader.cpp @@ -156,7 +156,6 @@ void PLYImporter::InternReadFile( const std::string& pFile, } else { - delete[] this->mBuffer; AI_DEBUG_INVALIDATE_PTR(this->mBuffer); throw DeadlyImportError( "Invalid .ply file: Missing format specification"); } From f971b66c477b128f617f14dd75ec3b85dfce28c8 Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Wed, 28 Jan 2015 14:29:14 +0200 Subject: [PATCH 8/9] Fix out-of-bounds read in invalid compressed X file --- code/XFileParser.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/code/XFileParser.cpp b/code/XFileParser.cpp index 36e70bc1c..a62aef414 100644 --- a/code/XFileParser.cpp +++ b/code/XFileParser.cpp @@ -214,6 +214,10 @@ XFileParser::XFileParser( const std::vector& pBuffer) AI_SWAP2(ofs); P += 4; + if (P + ofs > End + 2) { + throw DeadlyImportError("X: Unexpected EOF in compressed chunk"); + } + // push data to the stream stream.next_in = (Bytef*)P; stream.avail_in = ofs; From 792da49933195d1b0c4411e58ef041224acd45df Mon Sep 17 00:00:00 2001 From: Turo Lamminen Date: Wed, 28 Jan 2015 16:06:01 +0200 Subject: [PATCH 9/9] Fix out-of-bounds write when STL file node name is too long --- code/STLLoader.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code/STLLoader.cpp b/code/STLLoader.cpp index 068008d9e..6fedcd34a 100644 --- a/code/STLLoader.cpp +++ b/code/STLLoader.cpp @@ -229,6 +229,9 @@ void STLImporter::LoadASCIIFile() size_t temp; // setup the name of the node if ((temp = (size_t)(sz-szMe))) { + if (temp >= MAXLEN) { + throw DeadlyImportError( "STL: Node name too long" ); + } pScene->mRootNode->mName.length = temp; memcpy(pScene->mRootNode->mName.data,szMe,temp);