From a4274930e496f8cc905329b49dfe29ff424cb175 Mon Sep 17 00:00:00 2001 From: sashashura <93376818+sashashura@users.noreply.github.com> Date: Sat, 16 Jul 2022 13:46:50 +0100 Subject: [PATCH 1/2] Fixes Heap-use-after-free in Assimp::DXFImporter::ExpandBlockReferences --- code/AssetLib/DXF/DXFLoader.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code/AssetLib/DXF/DXFLoader.cpp b/code/AssetLib/DXF/DXFLoader.cpp index 6b2dbbe82..2f1ec35b4 100644 --- a/code/AssetLib/DXF/DXFLoader.cpp +++ b/code/AssetLib/DXF/DXFLoader.cpp @@ -368,7 +368,9 @@ void DXFImporter::ExpandBlockReferences(DXF::Block& bl,const DXF::BlockMap& bloc // XXX this would be the place to implement recursive expansion if needed. const DXF::Block& bl_src = *(*it).second; - for (std::shared_ptr pl_in : bl_src.lines) { + const size_t size = bl_src.lines.size(); // the size may increase in the loop + for (size_t i = 0; i < size; ++i) { + std::shared_ptr pl_in = bl_src.lines[i]; if (!pl_in) { ASSIMP_LOG_ERROR("DXF: PolyLine instance is nullptr, skipping."); continue; From 94c0e9d89087805da3d7bef979d4e70cbcb00b18 Mon Sep 17 00:00:00 2001 From: sashashura <93376818+sashashura@users.noreply.github.com> Date: Sat, 16 Jul 2022 13:48:39 +0100 Subject: [PATCH 2/2] Fixes Heap-buffer-overflow in std::__1::basic_string, std::__1::allocator