v4games
/
assimp
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix out-of-bounds read in RemoveLineComments 

Follow up to 6f07e89fdf, which was not sufficient to fix the bug.

Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24553
pull/4147/head
Alex Rebert 2021-10-30 13:43:41 -04:00
parent 3664fe20c0
commit 145f972d76
No known key found for this signature in database
GPG Key ID: E082090D746F1A81
1 changed files with 7 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
code/Common/RemoveComments.cpp
View File

@ -65,28 +65,20 @@ void CommentRemover::RemoveLineComments(const char* szComment,
len = lenBuffer; len = lenBuffer;
} }
char *szCurrent = szBuffer; for(size_t i = 0; i < lenBuffer; i++) {
while (*szCurrent) {
// skip over quotes // skip over quotes
if (*szCurrent == '\"' || *szCurrent == '\'') if (szBuffer[i] == '\"' || szBuffer[i] == '\'')
while (*szCurrent++ && *szCurrent != '\"' && *szCurrent != '\''); while (++i < lenBuffer && szBuffer[i] != '\"' && szBuffer[i] != '\'');
size_t lenRemaining = lenBuffer - (szCurrent - szBuffer); if(lenBuffer - i < len) {
if(lenRemaining < len) {
break; break;
} }
if (!strncmp(szCurrent,szComment,len)) { if (!strncmp(szBuffer + i,szComment,len)) {
while (!IsLineEnd(*szCurrent)) while (i < lenBuffer && !IsLineEnd(szBuffer[i]))
*szCurrent++ = chReplacement; szBuffer[i++] = chReplacement;
if (!*szCurrent) {
break;
} }
} }
++szCurrent;
}
} }
// ------------------------------------------------------------------------------------------------ // ------------------------------------------------------------------------------------------------