From 6b0a7a21a436cfff9368742a85e65b3f94930926 Mon Sep 17 00:00:00 2001 From: Luca Della Vedova Date: Mon, 23 May 2022 14:24:56 +0800 Subject: [PATCH 1/7] Store SID in SID field Signed-off-by: Luca Della Vedova --- code/AssetLib/Collada/ColladaParser.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/AssetLib/Collada/ColladaParser.cpp b/code/AssetLib/Collada/ColladaParser.cpp index 922d1f6b2..9b3af0848 100644 --- a/code/AssetLib/Collada/ColladaParser.cpp +++ b/code/AssetLib/Collada/ColladaParser.cpp @@ -2057,7 +2057,7 @@ void ColladaParser::ReadSceneNode(XmlNode &node, Node *pNode) { XmlParser::getStdStrAttribute(currentNode, "id", child->mID); } if (XmlParser::hasAttribute(currentNode, "sid")) { - XmlParser::getStdStrAttribute(currentNode, "id", child->mSID); + XmlParser::getStdStrAttribute(currentNode, "sid", child->mSID); } if (XmlParser::hasAttribute(currentNode, "name")) { XmlParser::getStdStrAttribute(currentNode, "name", child->mName); From bc6acedb33e3d0b241146a1e6370e14f5ad8297b Mon Sep 17 00:00:00 2001 From: Kim Kulling Date: Sat, 16 Jul 2022 13:57:51 +0200 Subject: [PATCH 2/7] Fix uninitialized variable. --- contrib/stb/stb_image.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/stb/stb_image.h b/contrib/stb/stb_image.h index 65a205f6e..8d173c66a 100644 --- a/contrib/stb/stb_image.h +++ b/contrib/stb/stb_image.h @@ -4941,7 +4941,7 @@ static int stbi__parse_png_file(stbi__png *z, int scan, int req_comp) { stbi_uc palette[1024], pal_img_n=0; stbi_uc has_trans=0, tc[3]={0}; - stbi__uint16 tc16[3]; + stbi__uint16 tc16[3]={0}; stbi__uint32 ioff=0, idata_limit=0, i, pal_len=0; int first=1,k,interlace=0, color=0, is_iphone=0; stbi__context *s = z->s; From 0c07ea7c7117a8831289f843c5bae2ad628e9579 Mon Sep 17 00:00:00 2001 From: sashashura <93376818+sashashura@users.noreply.github.com> Date: Sat, 16 Jul 2022 13:44:46 +0100 Subject: [PATCH 3/7] Fixes Heap-buffer-overflow in SuperFastHash --- code/AssetLib/LWS/LWSLoader.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code/AssetLib/LWS/LWSLoader.cpp b/code/AssetLib/LWS/LWSLoader.cpp index 951dbe180..abaaaa305 100644 --- a/code/AssetLib/LWS/LWSLoader.cpp +++ b/code/AssetLib/LWS/LWSLoader.cpp @@ -313,6 +313,9 @@ void LWSImporter::SetupNodeName(aiNode *nd, LWS::NodeDesc &src) { std::string::size_type t = src.path.substr(s).find_last_of('.'); nd->mName.length = ::ai_snprintf(nd->mName.data, MAXLEN, "%s_(%08X)", src.path.substr(s).substr(0, t).c_str(), combined); + if (nd->mName.length > MAXLEN) { + nd->mName.length = MAXLEN; + } return; } } From a4274930e496f8cc905329b49dfe29ff424cb175 Mon Sep 17 00:00:00 2001 From: sashashura <93376818+sashashura@users.noreply.github.com> Date: Sat, 16 Jul 2022 13:46:50 +0100 Subject: [PATCH 4/7] Fixes Heap-use-after-free in Assimp::DXFImporter::ExpandBlockReferences --- code/AssetLib/DXF/DXFLoader.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code/AssetLib/DXF/DXFLoader.cpp b/code/AssetLib/DXF/DXFLoader.cpp index 6b2dbbe82..2f1ec35b4 100644 --- a/code/AssetLib/DXF/DXFLoader.cpp +++ b/code/AssetLib/DXF/DXFLoader.cpp @@ -368,7 +368,9 @@ void DXFImporter::ExpandBlockReferences(DXF::Block& bl,const DXF::BlockMap& bloc // XXX this would be the place to implement recursive expansion if needed. const DXF::Block& bl_src = *(*it).second; - for (std::shared_ptr pl_in : bl_src.lines) { + const size_t size = bl_src.lines.size(); // the size may increase in the loop + for (size_t i = 0; i < size; ++i) { + std::shared_ptr pl_in = bl_src.lines[i]; if (!pl_in) { ASSIMP_LOG_ERROR("DXF: PolyLine instance is nullptr, skipping."); continue; From 94c0e9d89087805da3d7bef979d4e70cbcb00b18 Mon Sep 17 00:00:00 2001 From: sashashura <93376818+sashashura@users.noreply.github.com> Date: Sat, 16 Jul 2022 13:48:39 +0100 Subject: [PATCH 5/7] Fixes Heap-buffer-overflow in std::__1::basic_string, std::__1::allocator Date: Sat, 16 Jul 2022 13:50:54 +0100 Subject: [PATCH 6/7] Fixes Heap-buffer-overflow in Assimp::ObjFileParser::getFace --- code/AssetLib/Obj/ObjFileParser.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code/AssetLib/Obj/ObjFileParser.cpp b/code/AssetLib/Obj/ObjFileParser.cpp index 4e50d5dae..4dc08edbc 100644 --- a/code/AssetLib/Obj/ObjFileParser.cpp +++ b/code/AssetLib/Obj/ObjFileParser.cpp @@ -458,7 +458,8 @@ void ObjFileParser::getFace(aiPrimitiveType type) { iPos = 0; } else { //OBJ USES 1 Base ARRAYS!!!! - const int iVal(::atoi(&(*m_DataIt))); + std::string number(&(*m_DataIt), m_DataItEnd - m_DataIt); + const int iVal(::atoi(number.c_str())); // increment iStep position based off of the sign and # of digits int tmp = iVal; From 9ddc3a64d7b8f95c7aafd7f6ad2fb97d459c7f0b Mon Sep 17 00:00:00 2001 From: sashashura <93376818+sashashura@users.noreply.github.com> Date: Sat, 16 Jul 2022 13:55:08 +0100 Subject: [PATCH 7/7] Fixes Crash in Assimp::ObjFileMtlImporter::getFloatValue --- code/AssetLib/Obj/ObjFileMtlImporter.cpp | 48 ++++++++++++++++-------- 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/code/AssetLib/Obj/ObjFileMtlImporter.cpp b/code/AssetLib/Obj/ObjFileMtlImporter.cpp index a73277701..f8ab1b69e 100644 --- a/code/AssetLib/Obj/ObjFileMtlImporter.cpp +++ b/code/AssetLib/Obj/ObjFileMtlImporter.cpp @@ -126,17 +126,21 @@ void ObjFileMtlImporter::load() { if (*m_DataIt == 'a') // Ambient color { ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->ambient); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->ambient); } else if (*m_DataIt == 'd') { // Diffuse color ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->diffuse); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->diffuse); } else if (*m_DataIt == 's') { ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->specular); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->specular); } else if (*m_DataIt == 'e') { ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->emissive); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->emissive); } m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } break; @@ -145,13 +149,15 @@ void ObjFileMtlImporter::load() { // Material transmission color if (*m_DataIt == 'f') { ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->transparent); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->transparent); } else if (*m_DataIt == 'r') { // Material transmission alpha value ++m_DataIt; ai_real d; getFloatValue(d); - m_pModel->m_pCurrentMaterial->alpha = static_cast(1.0) - d; + if (m_pModel->m_pCurrentMaterial != nullptr) + m_pModel->m_pCurrentMaterial->alpha = static_cast(1.0) - d; } m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } break; @@ -162,7 +168,8 @@ void ObjFileMtlImporter::load() { } else { // Alpha value ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->alpha); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->alpha); m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } } break; @@ -173,11 +180,13 @@ void ObjFileMtlImporter::load() { switch (*m_DataIt) { case 's': // Specular exponent ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->shineness); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->shineness); break; case 'i': // Index Of refraction ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->ior); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->ior); break; case 'e': // New material createMaterial(); @@ -197,23 +206,28 @@ void ObjFileMtlImporter::load() { { case 'r': ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->roughness); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->roughness); break; case 'm': ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->metallic); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->metallic); break; case 's': ++m_DataIt; - getColorRGBA(m_pModel->m_pCurrentMaterial->sheen); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(m_pModel->m_pCurrentMaterial->sheen); break; case 'c': ++m_DataIt; if (*m_DataIt == 'r') { ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->clearcoat_roughness); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->clearcoat_roughness); } else { - getFloatValue(m_pModel->m_pCurrentMaterial->clearcoat_thickness); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->clearcoat_thickness); } break; } @@ -232,7 +246,8 @@ void ObjFileMtlImporter::load() { case 'i': // Illumination model { m_DataIt = getNextToken(m_DataIt, m_DataItEnd); - getIlluminationModel(m_pModel->m_pCurrentMaterial->illumination_model); + if (m_pModel->m_pCurrentMaterial != nullptr) + getIlluminationModel(m_pModel->m_pCurrentMaterial->illumination_model); m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } break; @@ -240,7 +255,8 @@ void ObjFileMtlImporter::load() { { ++m_DataIt; getFloatValue(m_pModel->m_pCurrentMaterial->anisotropy); - m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); + if (m_pModel->m_pCurrentMaterial != nullptr) + m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } break; default: {