Merge pull request #4147 from alpire/master

Fix out-of-bounds read in RemoveLineComments
pull/4111/head
Kim Kulling 2021-11-12 10:36:44 +01:00 committed by GitHub
commit 2e5e176bf3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 26 deletions

View File

@ -4,7 +4,6 @@ Open Asset Import Library (assimp)
Copyright (c) 2006-2021, assimp team Copyright (c) 2006-2021, assimp team
All rights reserved. All rights reserved.
Redistribution and use of this software in source and binary forms, Redistribution and use of this software in source and binary forms,
@ -40,7 +39,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
---------------------------------------------------------------------- ----------------------------------------------------------------------
*/ */
/** @file RemoveComments.cpp /**
* @file RemoveComments.cpp
* @brief Defines the CommentRemover utility class * @brief Defines the CommentRemover utility class
*/ */
@ -51,9 +51,7 @@ namespace Assimp {
// ------------------------------------------------------------------------------------------------ // ------------------------------------------------------------------------------------------------
// Remove line comments from a file // Remove line comments from a file
void CommentRemover::RemoveLineComments(const char* szComment, void CommentRemover::RemoveLineComments(const char* szComment, char* szBuffer, char chReplacement /* = ' ' */) {
char* szBuffer, char chReplacement /* = ' ' */)
{
// validate parameters // validate parameters
ai_assert(nullptr != szComment); ai_assert(nullptr != szComment);
ai_assert(nullptr != szBuffer); ai_assert(nullptr != szBuffer);
@ -65,27 +63,20 @@ void CommentRemover::RemoveLineComments(const char* szComment,
len = lenBuffer; len = lenBuffer;
} }
char *szCurrent = szBuffer; for(size_t i = 0; i < lenBuffer; i++) {
while (*szCurrent) {
// skip over quotes // skip over quotes
if (*szCurrent == '\"' || *szCurrent == '\'') if (szBuffer[i] == '\"' || szBuffer[i] == '\'')
while (*szCurrent++ && *szCurrent != '\"' && *szCurrent != '\''); while (++i < lenBuffer && szBuffer[i] != '\"' && szBuffer[i] != '\'');
size_t lenRemaining = lenBuffer - (szCurrent - szBuffer); if(lenBuffer - i < len) {
if(lenRemaining < len) {
break; break;
} }
if (!strncmp(szCurrent,szComment,len)) { if (!strncmp(szBuffer + i,szComment,len)) {
while (!IsLineEnd(*szCurrent)) while (i < lenBuffer && !IsLineEnd(szBuffer[i])) {
*szCurrent++ = chReplacement; szBuffer[i++] = chReplacement;
if (!*szCurrent) {
break;
} }
} }
++szCurrent;
} }
} }
@ -93,8 +84,7 @@ void CommentRemover::RemoveLineComments(const char* szComment,
// Remove multi-line comments from a file // Remove multi-line comments from a file
void CommentRemover::RemoveMultiLineComments(const char* szCommentStart, void CommentRemover::RemoveMultiLineComments(const char* szCommentStart,
const char* szCommentEnd,char* szBuffer, const char* szCommentEnd,char* szBuffer,
char chReplacement) char chReplacement) {
{
// validate parameters // validate parameters
ai_assert(nullptr != szCommentStart); ai_assert(nullptr != szCommentStart);
ai_assert(nullptr != szCommentEnd); ai_assert(nullptr != szCommentEnd);
@ -107,14 +97,16 @@ void CommentRemover::RemoveMultiLineComments(const char* szCommentStart,
while (*szBuffer) { while (*szBuffer) {
// skip over quotes // skip over quotes
if (*szBuffer == '\"' || *szBuffer == '\'') if (*szBuffer == '\"' || *szBuffer == '\'') {
while (*szBuffer++ && *szBuffer != '\"' && *szBuffer != '\''); while (*szBuffer++ && *szBuffer != '\"' && *szBuffer != '\'');
}
if (!strncmp(szBuffer,szCommentStart,len2)) { if (!strncmp(szBuffer,szCommentStart,len2)) {
while (*szBuffer) { while (*szBuffer) {
if (!::strncmp(szBuffer,szCommentEnd,len)) { if (!::strncmp(szBuffer,szCommentEnd,len)) {
for (unsigned int i = 0; i < len;++i) for (unsigned int i = 0; i < len;++i) {
*szBuffer++ = chReplacement; *szBuffer++ = chReplacement;
}
break; break;
} }