Merge pull request #5122 from sashashura/5407417422970880
Fix Heap-buffer-overflow READ in Assimp::MD5::MD5Parser::ParseSectionpull/5126/head^2
Kim Kulling
GitHub
commit
27c4de3419
|
|
@ -138,18 +138,31 @@ bool MD5Parser::ParseSection(Section &out) {
|
||||||
char *sz = buffer;
|
char *sz = buffer;
|
||||||
while (!IsSpaceOrNewLine(*buffer)) {
|
while (!IsSpaceOrNewLine(*buffer)) {
|
||||||
++buffer;
|
++buffer;
|
||||||
|
if (buffer == bufferEnd)
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
out.mName = std::string(sz, (uintptr_t)(buffer - sz));
|
out.mName = std::string(sz, (uintptr_t)(buffer - sz));
|
||||||
SkipSpaces();
|
while (IsSpace(*buffer)) {
|
||||||
|
++buffer;
|
||||||
|
if (buffer == bufferEnd)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
bool running = true;
|
bool running = true;
|
||||||
while (running) {
|
while (running) {
|
||||||
if ('{' == *buffer) {
|
if ('{' == *buffer) {
|
||||||
// it is a normal section so read all lines
|
// it is a normal section so read all lines
|
||||||
++buffer;
|
++buffer;
|
||||||
|
if (buffer == bufferEnd)
|
||||||
|
return false;
|
||||||
bool run = true;
|
bool run = true;
|
||||||
while (run) {
|
while (run) {
|
||||||
if (!SkipSpacesAndLineEnd()) {
|
while (IsSpaceOrNewLine(*buffer)) {
|
||||||
|
++buffer;
|
||||||
|
if (buffer == bufferEnd)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if ('\0' == *buffer) {
|
||||||
return false; // seems this was the last section
|
return false; // seems this was the last section
|
||||||
}
|
}
|
||||||
if ('}' == *buffer) {
|
if ('}' == *buffer) {
|
||||||
|
|
@ -164,25 +177,39 @@ bool MD5Parser::ParseSection(Section &out) {
|
||||||
elem.szStart = buffer;
|
elem.szStart = buffer;
|
||||||
|
|
||||||
// terminate the line with zero
|
// terminate the line with zero
|
||||||
while (!IsLineEnd(*buffer))
|
while (!IsLineEnd(*buffer)) {
|
||||||
++buffer;
|
++buffer;
|
||||||
|
if (buffer == bufferEnd)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
if (*buffer) {
|
if (*buffer) {
|
||||||
++lineNumber;
|
++lineNumber;
|
||||||
*buffer++ = '\0';
|
*buffer++ = '\0';
|
||||||
|
if (buffer == bufferEnd)
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
} else if (!IsSpaceOrNewLine(*buffer)) {
|
} else if (!IsSpaceOrNewLine(*buffer)) {
|
||||||
// it is an element at global scope. Parse its value and go on
|
// it is an element at global scope. Parse its value and go on
|
||||||
sz = buffer;
|
sz = buffer;
|
||||||
while (!IsSpaceOrNewLine(*buffer++))
|
while (!IsSpaceOrNewLine(*buffer++)) {
|
||||||
;
|
if (buffer == bufferEnd)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
out.mGlobalValue = std::string(sz, (uintptr_t)(buffer - sz));
|
out.mGlobalValue = std::string(sz, (uintptr_t)(buffer - sz));
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
return SkipSpacesAndLineEnd();
|
if (buffer == bufferEnd)
|
||||||
|
return false;
|
||||||
|
while (IsSpaceOrNewLine(*buffer)) {
|
||||||
|
++buffer;
|
||||||
|
if (buffer == bufferEnd)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return '\0' != *buffer;
|
||||||
}
|
}
|
||||||
|
|
||||||
// ------------------------------------------------------------------------------------------------
|
// ------------------------------------------------------------------------------------------------
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue