From 145f972d76eaf3cd947a92789ecefb4cc1b78765 Mon Sep 17 00:00:00 2001
From: Alex Rebert <alexandre.rebert@gmail.com>
Date: Sat, 30 Oct 2021 13:43:41 -0400
Subject: [PATCH 1/2] Fix out-of-bounds read in RemoveLineComments

Follow up to 6f07e89fdfb, which was not sufficient to fix the bug.

Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24553
---
 code/Common/RemoveComments.cpp | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/code/Common/RemoveComments.cpp b/code/Common/RemoveComments.cpp
index 9974e985a..2de9666de 100644
--- a/code/Common/RemoveComments.cpp
+++ b/code/Common/RemoveComments.cpp
@@ -65,27 +65,19 @@ void CommentRemover::RemoveLineComments(const char* szComment,
         len = lenBuffer;
     }
 
-    char *szCurrent = szBuffer;
-    while (*szCurrent)   {
-
+    for(size_t i = 0; i < lenBuffer; i++) {
         // skip over quotes
-        if (*szCurrent == '\"' || *szCurrent == '\'')
-            while (*szCurrent++ && *szCurrent != '\"' && *szCurrent != '\'');
+        if (szBuffer[i] == '\"' || szBuffer[i] == '\'')
+            while (++i < lenBuffer && szBuffer[i] != '\"' && szBuffer[i] != '\'');
 
-        size_t lenRemaining = lenBuffer - (szCurrent - szBuffer);
-        if(lenRemaining < len) {
+        if(lenBuffer - i < len) {
             break;
         }
 
-        if (!strncmp(szCurrent,szComment,len)) {
-            while (!IsLineEnd(*szCurrent))
-                *szCurrent++ = chReplacement;
-
-            if (!*szCurrent) {
-                break;
-            }
+        if (!strncmp(szBuffer + i,szComment,len)) {
+            while (i < lenBuffer && !IsLineEnd(szBuffer[i]))
+                szBuffer[i++] = chReplacement;
         }
-        ++szCurrent;
     }
 }
 

From 97b8e41997160f2113e1e6fcde230ccb857167af Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Fri, 12 Nov 2021 09:56:45 +0100
Subject: [PATCH 2/2] Fix formatting

---
 code/Common/RemoveComments.cpp | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/code/Common/RemoveComments.cpp b/code/Common/RemoveComments.cpp
index 2de9666de..e9e2a6ade 100644
--- a/code/Common/RemoveComments.cpp
+++ b/code/Common/RemoveComments.cpp
@@ -4,7 +4,6 @@ Open Asset Import Library (assimp)
 
 Copyright (c) 2006-2021, assimp team
 
-
 All rights reserved.
 
 Redistribution and use of this software in source and binary forms,
@@ -40,20 +39,19 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ----------------------------------------------------------------------
 */
 
-/** @file  RemoveComments.cpp
+/** 
+ *  @file  RemoveComments.cpp
  *  @brief Defines the CommentRemover utility class
  */
 
 #include <assimp/RemoveComments.h>
 #include <assimp/ParsingUtils.h>
 
-namespace Assimp    {
+namespace Assimp {
 
 // ------------------------------------------------------------------------------------------------
 // Remove line comments from a file
-void CommentRemover::RemoveLineComments(const char* szComment,
-    char* szBuffer, char chReplacement /* = ' ' */)
-{
+void CommentRemover::RemoveLineComments(const char* szComment, char* szBuffer, char chReplacement /* = ' ' */) {
     // validate parameters
     ai_assert(nullptr != szComment);
     ai_assert(nullptr != szBuffer);
@@ -75,8 +73,9 @@ void CommentRemover::RemoveLineComments(const char* szComment,
         }
 
         if (!strncmp(szBuffer + i,szComment,len)) {
-            while (i < lenBuffer && !IsLineEnd(szBuffer[i]))
+            while (i < lenBuffer && !IsLineEnd(szBuffer[i])) {
                 szBuffer[i++] = chReplacement;
+            }
         }
     }
 }
@@ -84,9 +83,8 @@ void CommentRemover::RemoveLineComments(const char* szComment,
 // ------------------------------------------------------------------------------------------------
 // Remove multi-line comments from a file
 void CommentRemover::RemoveMultiLineComments(const char* szCommentStart,
-    const char* szCommentEnd,char* szBuffer,
-    char chReplacement)
-{
+        const char* szCommentEnd,char* szBuffer,
+        char chReplacement) {
     // validate parameters
     ai_assert(nullptr != szCommentStart);
     ai_assert(nullptr != szCommentEnd);
@@ -99,18 +97,20 @@ void CommentRemover::RemoveMultiLineComments(const char* szCommentStart,
 
     while (*szBuffer)   {
         // skip over quotes
-        if (*szBuffer == '\"' || *szBuffer == '\'')
+        if (*szBuffer == '\"' || *szBuffer == '\'') {
             while (*szBuffer++ && *szBuffer != '\"' && *szBuffer != '\'');
+        }
 
         if (!strncmp(szBuffer,szCommentStart,len2))  {
             while (*szBuffer) {
                 if (!::strncmp(szBuffer,szCommentEnd,len)) {
-                    for (unsigned int i = 0; i < len;++i)
+                    for (unsigned int i = 0; i < len;++i) {
                         *szBuffer++ = chReplacement;
+                    }
 
                     break;
                 }
-            *szBuffer++ = chReplacement;
+                *szBuffer++ = chReplacement;
             }
             continue;
         }