Merge pull request #4147 from alpire/master

Fix out-of-bounds read in RemoveLineComments
2021-11-12 10:36:44 +01:00 · 2021-11-12 10:36:44 +01:00 · 2e5e176bf3
parent a7a6b96ca8 c22524351a
commit 2e5e176bf3
1 changed files with 18 additions and 26 deletions
--- a/code/Common/RemoveComments.cpp
+++ b/code/Common/RemoveComments.cpp
@ -4,7 +4,6 @@ Open Asset Import Library (assimp)

 Copyright (c) 2006-2021, assimp team

-
 All rights reserved.

 Redistribution and use of this software in source and binary forms,
@ -40,20 +39,19 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ----------------------------------------------------------------------
 */

-/** @file  RemoveComments.cpp
+/** 
+ *  @file  RemoveComments.cpp
 *  @brief Defines the CommentRemover utility class
 */

 #include <assimp/RemoveComments.h>
 #include <assimp/ParsingUtils.h>

-namespace Assimp    {
+namespace Assimp {

 // ------------------------------------------------------------------------------------------------
 // Remove line comments from a file
-void CommentRemover::RemoveLineComments(const char* szComment,
-    char* szBuffer, char chReplacement /* = ' ' */)
-{
+void CommentRemover::RemoveLineComments(const char* szComment, char* szBuffer, char chReplacement /* = ' ' */) {
    // validate parameters
    ai_assert(nullptr != szComment);
    ai_assert(nullptr != szBuffer);
@ -65,36 +63,28 @@ void CommentRemover::RemoveLineComments(const char* szComment,
        len = lenBuffer;
    }

-    char *szCurrent = szBuffer;
-    while (*szCurrent)   {
-
+    for(size_t i = 0; i < lenBuffer; i++) {
        // skip over quotes
-        if (*szCurrent == '\"' || *szCurrent == '\'')
-            while (*szCurrent++ && *szCurrent != '\"' && *szCurrent != '\'');
+        if (szBuffer[i] == '\"' || szBuffer[i] == '\'')
+            while (++i < lenBuffer && szBuffer[i] != '\"' && szBuffer[i] != '\'');

-        size_t lenRemaining = lenBuffer - (szCurrent - szBuffer);
-        if(lenRemaining < len) {
+        if(lenBuffer - i < len) {
            break;
        }

-        if (!strncmp(szCurrent,szComment,len)) {
-            while (!IsLineEnd(*szCurrent))
-                *szCurrent++ = chReplacement;
-
-            if (!*szCurrent) {
-                break;
+        if (!strncmp(szBuffer + i,szComment,len)) {
+            while (i < lenBuffer && !IsLineEnd(szBuffer[i])) {
+                szBuffer[i++] = chReplacement;
            }
        }
-        ++szCurrent;
    }
 }

 // ------------------------------------------------------------------------------------------------
 // Remove multi-line comments from a file
 void CommentRemover::RemoveMultiLineComments(const char* szCommentStart,
-    const char* szCommentEnd,char* szBuffer,
-    char chReplacement)
-{
+        const char* szCommentEnd,char* szBuffer,
+        char chReplacement) {
    // validate parameters
    ai_assert(nullptr != szCommentStart);
    ai_assert(nullptr != szCommentEnd);
@ -107,18 +97,20 @@ void CommentRemover::RemoveMultiLineComments(const char* szCommentStart,

    while (*szBuffer)   {
        // skip over quotes
-        if (*szBuffer == '\"' || *szBuffer == '\'')
+        if (*szBuffer == '\"' || *szBuffer == '\'') {
            while (*szBuffer++ && *szBuffer != '\"' && *szBuffer != '\'');
+        }

        if (!strncmp(szBuffer,szCommentStart,len2))  {
            while (*szBuffer) {
                if (!::strncmp(szBuffer,szCommentEnd,len)) {
-                    for (unsigned int i = 0; i < len;++i)
+                    for (unsigned int i = 0; i < len;++i) {
                        *szBuffer++ = chReplacement;
+                    }

                    break;
                }
-            *szBuffer++ = chReplacement;
+                *szBuffer++ = chReplacement;
            }
            continue;
        }