From cf966391190a5c6b00feeb0f3250202c3d01ff00 Mon Sep 17 00:00:00 2001 From: Kim Kulling Date: Thu, 24 Feb 2022 16:49:35 +0100 Subject: [PATCH 1/2] Fix possible negative array access - Return when the calculated offset gets negative - closes https://github.com/assimp/assimp/issues/4414 --- include/assimp/Hash.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/assimp/Hash.h b/include/assimp/Hash.h index 1f2baedac..1a5d1f08d 100644 --- a/include/assimp/Hash.h +++ b/include/assimp/Hash.h @@ -4,7 +4,6 @@ Open Asset Import Library (assimp) Copyright (c) 2006-2022, assimp team - All rights reserved. Redistribution and use of this software in source and binary forms, @@ -96,7 +95,11 @@ int rem; switch (rem) { case 3: hash += get16bits (data); hash ^= hash << 16; - hash ^= data[sizeof (uint16_t)] << 18; + size_t offset = static_cast(sizeof(uint16_t)); + if (offset < 0) { + return 0; + } + hash ^= data[offset] << 18; hash += hash >> 11; break; case 2: hash += get16bits (data); From 0dc24ab3a747ca97a23bec6eb8d0123d2b5f9c19 Mon Sep 17 00:00:00 2001 From: Kim Kulling Date: Thu, 24 Feb 2022 17:04:39 +0100 Subject: [PATCH 2/2] Fix declaration of offset --- include/assimp/Hash.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/assimp/Hash.h b/include/assimp/Hash.h index 1a5d1f08d..5a02f5f31 100644 --- a/include/assimp/Hash.h +++ b/include/assimp/Hash.h @@ -75,7 +75,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. inline uint32_t SuperFastHash (const char * data, uint32_t len = 0, uint32_t hash = 0) { uint32_t tmp; int rem; - +size_t offset; + if (!data) return 0; if (!len)len = (uint32_t)::strlen(data); @@ -95,7 +96,7 @@ int rem; switch (rem) { case 3: hash += get16bits (data); hash ^= hash << 16; - size_t offset = static_cast(sizeof(uint16_t)); + offset = static_cast(sizeof(uint16_t)); if (offset < 0) { return 0; }