From 1a5d66714f9e33f99f3d413bc5f6bef34bcf6dae Mon Sep 17 00:00:00 2001
From: Jan Krassnigg <jakra-ms@outlook.com>
Date: Thu, 25 Nov 2021 11:20:26 +0100
Subject: [PATCH] Prevent out-of-range memory writes by sparse accessors

This turned up during fuzz testing. Corrupted data would make assimp write to random memory locations, leading to subsequent crashes.
---
 code/AssetLib/glTF2/glTF2Asset.inl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/code/AssetLib/glTF2/glTF2Asset.inl b/code/AssetLib/glTF2/glTF2Asset.inl
index e0a505297..ffe528757 100644
--- a/code/AssetLib/glTF2/glTF2Asset.inl
+++ b/code/AssetLib/glTF2/glTF2Asset.inl
@@ -809,6 +809,11 @@ inline void Accessor::Sparse::PatchData(unsigned int elementSize) {
         }
 
         offset *= elementSize;
+
+        if (offset + elementSize > data.size()) {
+            throw DeadlyImportError("Invalid sparse accessor. Byte offset for patching points outside allocated memory.");
+        }
+
         std::memcpy(data.data() + offset, pValues, elementSize);
 
         pValues += elementSize;