Merge pull request #4160 from RichardTea/fix_gltf_warning_4126

Check and limit maximum size of glTF
2021-11-11 21:30:07 +01:00 · 2021-11-11 21:30:07 +01:00 · 1f8edd5959
parent add7f1355e 43b0ef181a
commit 1f8edd5959
2 changed files with 124 additions and 107 deletions
--- a/code/AssetLib/glTF/glTFAsset.inl
+++ b/code/AssetLib/glTF/glTFAsset.inl
@ -39,8 +39,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ----------------------------------------------------------------------
 */

-#include <assimp/StringUtils.h>
 #include <assimp/MemoryIOWrapper.h>
+#include <assimp/StringUtils.h>
 #include <iomanip>

 // Header files, Assimp
@ -57,11 +57,10 @@ using namespace glTFCommon;
 namespace glTF {

 #if _MSC_VER
-#    pragma warning(push)
-#    pragma warning(disable : 4706)
+#pragma warning(push)
+#pragma warning(disable : 4706)
 #endif // _MSC_VER

-
 //
 // LazyDict methods
 //
@ -215,8 +214,9 @@ inline void Buffer::Read(Value &obj, Asset &r) {
        if (byteLength > 0) {
            std::string dir = !r.mCurrentAssetDir.empty() ? (
                                                                    r.mCurrentAssetDir.back() == '/' ?
-                   r.mCurrentAssetDir : r.mCurrentAssetDir + '/'
-            ) : "";
+                                                                            r.mCurrentAssetDir :
+                                                                            r.mCurrentAssetDir + '/') :
+                                                            "";

            IOStream *file = r.OpenFile(dir + uri, "rb");
            if (file) {
@ -771,8 +771,7 @@ inline void Mesh::Read(Value &pJSON_Object, Asset &pAsset_Root) {
            Decode_O3DGC(*ext_o3dgc, pAsset_Root);
            Extension.push_back(ext_o3dgc); // store info in mesh extensions list.
        } // if(it_memb->name.GetString() == "Open3DGC-compression")
-        else
-        {
+        else {
            throw DeadlyImportError("GLTF: Unknown mesh extension: \"", it_memb->name.GetString(), "\".");
        }
    } // for(Value::MemberIterator it_memb = json_extensions->MemberBegin(); it_memb != json_extensions->MemberEnd(); json_extensions++)
@ -1148,7 +1147,8 @@ inline void Asset::ReadBinaryHeader(IOStream &stream) {
    AI_SWAP4(header.length);
    AI_SWAP4(header.sceneLength);

-    mSceneLength = static_cast<size_t>(header.sceneLength);
+    static_assert(std::numeric_limits<uint32_t>::max() <= std::numeric_limits<size_t>::max(), "size_t must be at least 32bits");
+    mSceneLength = static_cast<size_t>(header.sceneLength); // Can't be larger than 4GB (max. uint32_t)

    mBodyOffset = sizeof(header) + mSceneLength;
    mBodyOffset = (mBodyOffset + 3) & ~3; // Round up to next multiple of 4
@ -1179,8 +1179,17 @@ inline void Asset::Load(const std::string &pFile, bool isBinary) {
        mBodyLength = 0;
    }

-    // read the scene data
+    // Smallest legal JSON file is "{}" Smallest loadable glTF file is larger than that but catch it later
+    if (mSceneLength < 2) {
+        throw DeadlyImportError("GLTF: No JSON file contents");
+    }

+    // Binary format only supports up to 4GB of JSON so limit it there to avoid extreme memory allocation
+    if (mSceneLength >= std::numeric_limits<uint32_t>::max()) {
+        throw DeadlyImportError("GLTF: JSON size greater than 4GB");
+    }
+
+    // read the scene data, ensure null termination
    std::vector<char> sceneData(mSceneLength + 1);
    sceneData[mSceneLength] = '\0';

@ -1258,7 +1267,7 @@ inline void Asset::ReadExtensionsUsed(Document &doc) {
 #undef CHECK_EXT
 }

-inline IOStream *Asset::OpenFile(const std::string& path, const char *mode, bool absolute) {
+inline IOStream *Asset::OpenFile(const std::string &path, const char *mode, bool absolute) {
 #ifdef ASSIMP_API
    (void)absolute;
    return mIOSystem->Open(path, mode);
@ -1300,7 +1309,7 @@ inline std::string Asset::FindUniqueID(const std::string &str, const char *suffi
 }

 #if _MSC_VER
-#    pragma warning(pop)
+#pragma warning(pop)
 #endif // _MSC_VER

 } // namespace glTF
--- a/code/AssetLib/glTF2/glTF2Asset.inl
+++ b/code/AssetLib/glTF2/glTF2Asset.inl
@ -299,7 +299,7 @@ inline LazyDict<T>::~LazyDict() {
 template <class T>
 inline void LazyDict<T>::AttachToDocument(Document &doc) {
    Value *container = nullptr;
-    const char* context = nullptr;
+    const char *context = nullptr;

    if (mExtId) {
        if (Value *exts = FindObject(doc, "extensions")) {
@ -751,9 +751,8 @@ inline void Accessor::Read(Value &obj, Asset &r) {
    byteOffset = MemberOrDefault(obj, "byteOffset", size_t(0));
    componentType = MemberOrDefault(obj, "componentType", ComponentType_BYTE);
    {
-        const Value* countValue = FindUInt(obj, "count");
-        if (!countValue)
-        {
+        const Value *countValue = FindUInt(obj, "count");
+        if (!countValue) {
            throw DeadlyImportError("A count value is required, when reading ", id.c_str(), name.empty() ? "" : " (" + name + ")");
        }
        count = countValue->GetUint();
@ -1777,9 +1776,9 @@ inline void Asset::ReadBinaryHeader(IOStream &stream, std::vector<char> &sceneDa
        throw DeadlyImportError("GLTF: JSON chunk missing");
    }

-    // read the scene data
-
-    mSceneLength = chunk.chunkLength;
+    // read the scene data, ensure null termination
+    static_assert(std::numeric_limits<uint32_t>::max() <= std::numeric_limits<size_t>::max(), "size_t must be at least 32bits");
+    mSceneLength = chunk.chunkLength; // Can't be larger than 4GB (max. uint32_t)
    sceneData.resize(mSceneLength + 1);
    sceneData[mSceneLength] = '\0';

@ -1836,8 +1835,12 @@ inline void Asset::Load(const std::string &pFile, bool isBinary) {
        mSceneLength = stream->FileSize();
        mBodyLength = 0;

-        // read the scene data
+        // Binary format only supports up to 4GB of JSON, use that as a maximum
+        if (mSceneLength >= std::numeric_limits<uint32_t>::max()) {
+            throw DeadlyImportError("GLTF: JSON size greater than 4GB");
+        }

+        // read the scene data, ensure null termination
        sceneData.resize(mSceneLength + 1);
        sceneData[mSceneLength] = '\0';

@ -1846,6 +1849,11 @@ inline void Asset::Load(const std::string &pFile, bool isBinary) {
        }
    }

+    // Smallest legal JSON file is "{}" Smallest loadable glTF file is larger than that but catch it later
+    if (mSceneLength < 2) {
+        throw DeadlyImportError("GLTF: No JSON file contents");
+    }
+
    // parse the JSON document
    ASSIMP_LOG_DEBUG("Parsing GLTF2 JSON");
    Document doc;
@ -1974,7 +1982,7 @@ inline void Asset::ReadExtensionsUsed(Document &doc) {
 #undef CHECK_EXT
 }

-inline IOStream *Asset::OpenFile(const std::string& path, const char *mode, bool /*absolute*/) {
+inline IOStream *Asset::OpenFile(const std::string &path, const char *mode, bool /*absolute*/) {
 #ifdef ASSIMP_API
    return mIOSystem->Open(path, mode);
 #else