From 6e5600a9a5bd2fa2aafa577fd0b113d99ba5b2b4 Mon Sep 17 00:00:00 2001 From: Daniel-Genkin Date: Thu, 28 Oct 2021 10:26:14 -0400 Subject: [PATCH 01/13] Added another constructor to avoid requiring a full ANativeActivity --- include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h | 2 ++ port/AndroidJNI/AndroidJNIIOSystem.cpp | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h b/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h index 01505d571..370327542 100644 --- a/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h +++ b/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h @@ -65,6 +65,8 @@ public: /** Constructor. */ AndroidJNIIOSystem(ANativeActivity* activity); + AndroidJNIIOSystem(const char *internalPath, AAssetManager assetManager); + /** Destructor. */ ~AndroidJNIIOSystem(); diff --git a/port/AndroidJNI/AndroidJNIIOSystem.cpp b/port/AndroidJNI/AndroidJNIIOSystem.cpp index db499a20b..bed40ce51 100644 --- a/port/AndroidJNI/AndroidJNIIOSystem.cpp +++ b/port/AndroidJNI/AndroidJNIIOSystem.cpp @@ -67,6 +67,12 @@ AndroidJNIIOSystem::AndroidJNIIOSystem(ANativeActivity* activity) AndroidActivityInit(activity); } +AndroidJNIIOSystem::AndroidJNIIOSystem(const char *internalPath, AAssetManager assetManager) +{ + mApkWorkspacePath = internalDataPath; + mApkAssetManager = assetManager; +} + // ------------------------------------------------------------------------------------------------ // Destructor. AndroidJNIIOSystem::~AndroidJNIIOSystem() From e5cd5733e1c2e5aae93382dae0b2524657a96c7a Mon Sep 17 00:00:00 2001 From: Kim Kulling Date: Thu, 28 Oct 2021 17:50:25 +0200 Subject: [PATCH 02/13] Update AndroidJNIIOSystem.cpp --- port/AndroidJNI/AndroidJNIIOSystem.cpp | 169 ++++++++++++------------- 1 file changed, 83 insertions(+), 86 deletions(-) diff --git a/port/AndroidJNI/AndroidJNIIOSystem.cpp b/port/AndroidJNI/AndroidJNIIOSystem.cpp index bed40ce51..00cf3af9c 100644 --- a/port/AndroidJNI/AndroidJNIIOSystem.cpp +++ b/port/AndroidJNI/AndroidJNIIOSystem.cpp @@ -3,7 +3,7 @@ Open Asset Import Library (assimp) --------------------------------------------------------------------------- -Copyright (c) 2006-2020, assimp team +Copyright (c) 2006-2021, assimp team All rights reserved. @@ -67,51 +67,50 @@ AndroidJNIIOSystem::AndroidJNIIOSystem(ANativeActivity* activity) AndroidActivityInit(activity); } -AndroidJNIIOSystem::AndroidJNIIOSystem(const char *internalPath, AAssetManager assetManager) -{ - mApkWorkspacePath = internalDataPath; - mApkAssetManager = assetManager; +AndroidJNIIOSystem::AndroidJNIIOSystem(const char *internalPath, AAssetManager assetManager) : + mApkWorkspacePath(internalDataPath), + mApkAssetManager(assetManager) { + // empty } // ------------------------------------------------------------------------------------------------ // Destructor. -AndroidJNIIOSystem::~AndroidJNIIOSystem() -{ - // nothing to do here +AndroidJNIIOSystem::~AndroidJNIIOSystem() { + // nothing to do here } // ------------------------------------------------------------------------------------------------ // Tests for the existence of a file at the given path. -bool AndroidJNIIOSystem::Exists( const char* pFile) const -{ - AAsset* asset = AAssetManager_open(mApkAssetManager, pFile, - AASSET_MODE_UNKNOWN); - FILE* file = ::fopen( (mApkWorkspacePath + getOsSeparator() + std::string(pFile)).c_str(), "rb"); +bool AndroidJNIIOSystem::Exists( const char* pFile) const { + AAsset* asset = AAssetManager_open(mApkAssetManager, pFile, AASSET_MODE_UNKNOWN); + FILE* file = ::fopen( (mApkWorkspacePath + getOsSeparator() + std::string(pFile)).c_str(), "rb"); + + if (!asset && !file) { + __android_log_print(ANDROID_LOG_ERROR, "Assimp", "Asset manager can not find: %s", pFile); + return false; + } - if (!asset && !file) - { - __android_log_print(ANDROID_LOG_ERROR, "Assimp", "Asset manager can not find: %s", pFile); - return false; - } - - __android_log_print(ANDROID_LOG_ERROR, "Assimp", "Asset exists"); - if (file) - ::fclose( file); - return true; + __android_log_print(ANDROID_LOG_ERROR, "Assimp", "Asset exists"); + if (file) { + ::fclose( file); + } + + return true; } // ------------------------------------------------------------------------------------------------ // Inits Android extractor -void AndroidJNIIOSystem::AndroidActivityInit(ANativeActivity* activity) -{ - mApkWorkspacePath = activity->internalDataPath; - mApkAssetManager = activity->assetManager; +void AndroidJNIIOSystem::AndroidActivityInit(ANativeActivity* activity) { + if (activity == nullptr) { + return; + } + mApkWorkspacePath = activity->internalDataPath; + mApkAssetManager = activity->assetManager; } // ------------------------------------------------------------------------------------------------ // Create the directory for the extracted resource -static int mkpath(std::string path, mode_t mode) -{ +static int mkpath(std::string path, mode_t mode) { if (mkdir(path.c_str(), mode) == -1) { switch(errno) { case ENOENT: @@ -131,82 +130,80 @@ static int mkpath(std::string path, mode_t mode) // ------------------------------------------------------------------------------------------------ // Extracts android asset -bool AndroidJNIIOSystem::AndroidExtractAsset(std::string name) -{ - std::string newPath = mApkWorkspacePath + getOsSeparator() + name; +bool AndroidJNIIOSystem::AndroidExtractAsset(std::string name) { + std::string newPath = mApkWorkspacePath + getOsSeparator() + name; - DefaultIOSystem io; + DefaultIOSystem io; - // Do not extract if extracted already - if ( io.Exists(newPath.c_str()) ) { - __android_log_print(ANDROID_LOG_DEFAULT, "Assimp", "Asset already extracted"); - return true; - } - // Open file - AAsset* asset = AAssetManager_open(mApkAssetManager, name.c_str(), + // Do not extract if extracted already + if ( io.Exists(newPath.c_str()) ) { + __android_log_print(ANDROID_LOG_DEFAULT, "Assimp", "Asset already extracted"); + return true; + } + + // Open file + AAsset* asset = AAssetManager_open(mApkAssetManager, name.c_str(), AASSET_MODE_UNKNOWN); - std::vector assetContent; + std::vector assetContent; - if (asset != NULL) { - // Find size - off_t assetSize = AAsset_getLength(asset); + if (asset != NULL) { + // Find size + off_t assetSize = AAsset_getLength(asset); - // Prepare input buffer - assetContent.resize(assetSize); + // Prepare input buffer + assetContent.resize(assetSize); - // Store input buffer - AAsset_read(asset, &assetContent[0], assetSize); + // Store input buffer + AAsset_read(asset, &assetContent[0], assetSize); - // Close - AAsset_close(asset); + // Close + AAsset_close(asset); - // Prepare directory for output buffer - std::string directoryNewPath = newPath; - directoryNewPath = dirname(&directoryNewPath[0]); + // Prepare directory for output buffer + std::string directoryNewPath = newPath; + directoryNewPath = dirname(&directoryNewPath[0]); - if (mkpath(directoryNewPath, S_IRUSR | S_IWUSR | S_IXUSR) == -1) { - __android_log_print(ANDROID_LOG_ERROR, "assimp", - "Can not create the directory for the output file"); - } + if (mkpath(directoryNewPath, S_IRUSR | S_IWUSR | S_IXUSR) == -1) { + __android_log_print(ANDROID_LOG_ERROR, "assimp", "Can not create the directory for the output file"); + } - // Prepare output buffer - std::ofstream assetExtracted(newPath.c_str(), - std::ios::out | std::ios::binary); - if (!assetExtracted) { - __android_log_print(ANDROID_LOG_ERROR, "assimp", - "Can not open output file"); - } + // Prepare output buffer + std::ofstream assetExtracted(newPath.c_str(), std::ios::out | std::ios::binary); + if (!assetExtracted) { + __android_log_print(ANDROID_LOG_ERROR, "assimp", "Can not open output file"); + } - // Write output buffer into a file - assetExtracted.write(&assetContent[0], assetContent.size()); - assetExtracted.close(); + // Write output buffer into a file + assetExtracted.write(&assetContent[0], assetContent.size()); + assetExtracted.close(); - __android_log_print(ANDROID_LOG_DEFAULT, "Assimp", "Asset extracted"); - } else { - __android_log_print(ANDROID_LOG_ERROR, "assimp", "Asset not found: %s", name.c_str()); - return false; - } - return true; + __android_log_print(ANDROID_LOG_DEFAULT, "Assimp", "Asset extracted"); + } else { + __android_log_print(ANDROID_LOG_ERROR, "assimp", "Asset not found: %s", name.c_str()); + return false; + } + + return true; } // ------------------------------------------------------------------------------------------------ // Open a new file with a given path. -IOStream* AndroidJNIIOSystem::Open( const char* strFile, const char* strMode) -{ - ai_assert(NULL != strFile); - ai_assert(NULL != strMode); +IOStream* AndroidJNIIOSystem::Open( const char* strFile, const char* strMode) { + ai_assert(nullptr != strFile); + ai_assert(nullptr != strMode); - std::string fullPath(mApkWorkspacePath + getOsSeparator() + std::string(strFile)); - if (Exists(strFile)) - AndroidExtractAsset(std::string(strFile)); + std::string fullPath(mApkWorkspacePath + getOsSeparator() + std::string(strFile)); + if (Exists(strFile)) { + AndroidExtractAsset(std::string(strFile)); + } - FILE* file = ::fopen( fullPath.c_str(), strMode); + FILE* file = ::fopen( fullPath.c_str(), strMode); + if (nullptr == file) { + return nullptr; + } - if( NULL == file) - return NULL; - - __android_log_print(ANDROID_LOG_ERROR, "assimp", "AndroidIOSystem: file %s opened", fullPath.c_str()); - return new DefaultIOStream(file, fullPath); + __android_log_print(ANDROID_LOG_ERROR, "assimp", "AndroidIOSystem: file %s opened", fullPath.c_str()); + return new DefaultIOStream(file, fullPath); } #undef PATHLIMIT From 5333e41607f07046c3a15c55bc74e1eecfad0ab7 Mon Sep 17 00:00:00 2001 From: Kim Kulling Date: Thu, 28 Oct 2021 17:52:01 +0200 Subject: [PATCH 03/13] Update AndroidJNIIOSystem.h --- .../port/AndroidJNI/AndroidJNIIOSystem.h | 24 +++++++------------ 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h b/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h index 370327542..bb52d3065 100644 --- a/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h +++ b/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h @@ -2,7 +2,7 @@ Open Asset Import Library (assimp) ---------------------------------------------------------------------- -Copyright (c) 2006-2020, assimp team +Copyright (c) 2006-2021, assimp team All rights reserved. Redistribution and use of this software in source and binary forms, @@ -54,38 +54,32 @@ namespace Assimp { // --------------------------------------------------------------------------- /** Android extension to DefaultIOSystem using the standard C file functions */ -class ASSIMP_API AndroidJNIIOSystem : public DefaultIOSystem -{ +class ASSIMP_API AndroidJNIIOSystem : public DefaultIOSystem { public: - /** Initialize android activity data */ std::string mApkWorkspacePath; AAssetManager* mApkAssetManager; - /** Constructor. */ + /// Constructor. AndroidJNIIOSystem(ANativeActivity* activity); + /// Class constructor with past and asset manager. AndroidJNIIOSystem(const char *internalPath, AAssetManager assetManager); - /** Destructor. */ + /// Destructor. ~AndroidJNIIOSystem(); - // ------------------------------------------------------------------- - /** Tests for the existence of a file at the given path. */ + /// Tests for the existence of a file at the given path. bool Exists( const char* pFile) const; - // ------------------------------------------------------------------- - /** Opens a file at the given path, with given mode */ + /// Opens a file at the given path, with given mode IOStream* Open( const char* strFile, const char* strMode); - // ------------------------------------------------------------------------------------------------ - // Inits Android extractor + /// Inits Android extractor void AndroidActivityInit(ANativeActivity* activity); - // ------------------------------------------------------------------------------------------------ - // Extracts android asset + /// Extracts android asset bool AndroidExtractAsset(std::string name); - }; } //!ns Assimp From 30f17aa2064b86c0096f0ec701b9e8ea9312fef2 Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Thu, 28 Oct 2021 21:32:38 -0400 Subject: [PATCH 04/13] Fix heap out-of-bounds write in _m3d_safestr While there is a 256 character limit when computing the length of the newly allocated strength, that limit was missing when copying the string. This commit adds a new length check in the copy loop, preventing it from writhing out of bounds. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 --- code/AssetLib/M3D/m3d.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/AssetLib/M3D/m3d.h b/code/AssetLib/M3D/m3d.h index b148c11d7..875007eab 100644 --- a/code/AssetLib/M3D/m3d.h +++ b/code/AssetLib/M3D/m3d.h @@ -896,7 +896,7 @@ char *_m3d_safestr(char *in, int morelines) { if (!out) return NULL; while (*i == ' ' || *i == '\t' || *i == '\r' || (morelines && *i == '\n')) i++; - for (; *i && (morelines || (*i != '\r' && *i != '\n')); i++) { + for (; *i && (morelines || (*i != '\r' && *i != '\n')) && o - out < l; i++) { if (*i == '\r') continue; if (*i == '\n') { if (morelines >= 3 && o > out && *(o - 1) == '\n') break; From 932dfe05627c139013b9ea5d5e0e0e296b467e7e Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Thu, 28 Oct 2021 22:27:19 -0400 Subject: [PATCH 05/13] Fix overflowing allocations in MDLMaterialLoader Some allocations might underallocate due to integer overflows. This commit ensures that we are throwing an exception if the allocation size does not fit in an unsigned int. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25341 --- code/AssetLib/MDL/MDLMaterialLoader.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code/AssetLib/MDL/MDLMaterialLoader.cpp b/code/AssetLib/MDL/MDLMaterialLoader.cpp index f44896819..62320814a 100644 --- a/code/AssetLib/MDL/MDLMaterialLoader.cpp +++ b/code/AssetLib/MDL/MDLMaterialLoader.cpp @@ -132,6 +132,9 @@ void MDLImporter::CreateTextureARGB8_3DGS_MDL3(const unsigned char *szData) { pcNew->mWidth = pcHeader->skinwidth; pcNew->mHeight = pcHeader->skinheight; + if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) { + throw DeadlyImportError("Invalid MDL file. A texture is too big."); + } pcNew->pcData = new aiTexel[pcNew->mWidth * pcNew->mHeight]; const unsigned char *szColorMap; @@ -217,6 +220,9 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData, // allocate storage for the texture image if (do_read) { + if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) { + throw DeadlyImportError("Invalid MDL file. A texture is too big."); + } pcNew->pcData = new aiTexel[pcNew->mWidth * pcNew->mHeight]; } From 1fe9d405f5c4811eb6073cf5fc6622842192e06b Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Thu, 28 Oct 2021 22:36:11 -0400 Subject: [PATCH 06/13] Fix out-of-bounds read in MDLImporter Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24502 --- code/AssetLib/MDL/MDLLoader.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/AssetLib/MDL/MDLLoader.cpp b/code/AssetLib/MDL/MDLLoader.cpp index 40475021b..c59375da0 100644 --- a/code/AssetLib/MDL/MDLLoader.cpp +++ b/code/AssetLib/MDL/MDLLoader.cpp @@ -600,7 +600,7 @@ void MDLImporter::InternReadFile_3DGS_MDL345() { // need to read all textures for (unsigned int i = 0; i < (unsigned int)pcHeader->num_skins; ++i) { - if (szCurrent >= szEnd) { + if (szCurrent + sizeof(uint32_t) > szEnd) { throw DeadlyImportError("Texture data past end of file."); } BE_NCONST MDL::Skin *pcSkin; From 107371657b39c8cd4bcc8d8865d9071ff17049d2 Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Thu, 28 Oct 2021 23:12:54 -0400 Subject: [PATCH 07/13] Fix out-of-bounds read in ReadFirstSkin Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25401 --- code/AssetLib/HMP/HMPLoader.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/code/AssetLib/HMP/HMPLoader.cpp b/code/AssetLib/HMP/HMPLoader.cpp index 97c1858fb..661e4d1b2 100644 --- a/code/AssetLib/HMP/HMPLoader.cpp +++ b/code/AssetLib/HMP/HMPLoader.cpp @@ -451,6 +451,7 @@ void HMPImporter::ReadFirstSkin(unsigned int iNumSkins, const unsigned char *szC // now we need to skip any other skins ... for (unsigned int i = 1; i < iNumSkins; ++i) { + SizeCheck(szCursor + 3 * sizeof(uint32_t)); iType = *((uint32_t *)szCursor); szCursor += sizeof(uint32_t); iWidth = *((uint32_t *)szCursor); From 6a3ac623b960905b3450b78e7614453dae0540ed Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Thu, 28 Oct 2021 23:13:29 -0400 Subject: [PATCH 08/13] Fix out-of-bounds reads in OpenDDLParser Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31795 Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24463 Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36594 --- contrib/openddlparser/code/OpenDDLParser.cpp | 20 +++++++++++-------- .../openddlparser/OpenDDLParserUtils.h | 3 ++- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/contrib/openddlparser/code/OpenDDLParser.cpp b/contrib/openddlparser/code/OpenDDLParser.cpp index 0c9e0bd98..e2bef97a7 100644 --- a/contrib/openddlparser/code/OpenDDLParser.cpp +++ b/contrib/openddlparser/code/OpenDDLParser.cpp @@ -292,12 +292,15 @@ char *OpenDDLParser::parseHeader(char *in, char *end) { Property *first(nullptr); in = lookForNextToken(in, end); - if (*in == Grammar::OpenPropertyToken[0]) { + if (in != end && *in == Grammar::OpenPropertyToken[0]) { in++; Property *prop(nullptr), *prev(nullptr); - while (*in != Grammar::ClosePropertyToken[0] && in != end) { + while (in != end && *in != Grammar::ClosePropertyToken[0]) { in = OpenDDLParser::parseProperty(in, end, &prop); in = lookForNextToken(in, end); + if(in == end) { + break; + } if (*in != Grammar::CommaSeparator[0] && *in != Grammar::ClosePropertyToken[0]) { logInvalidTokenError(in, Grammar::ClosePropertyToken, m_logCallback); @@ -314,7 +317,9 @@ char *OpenDDLParser::parseHeader(char *in, char *end) { prev = prop; } } - ++in; + if(in != end) { + ++in; + } } // set the properties @@ -479,7 +484,7 @@ void OpenDDLParser::normalizeBuffer(std::vector &buffer) { // check for a comment if (isCommentOpenTag(c, end)) { ++readIdx; - while (!isCommentCloseTag(&buffer[readIdx], end)) { + while (readIdx < len && !isCommentCloseTag(&buffer[readIdx], end)) { ++readIdx; } ++readIdx; @@ -489,7 +494,7 @@ void OpenDDLParser::normalizeBuffer(std::vector &buffer) { if (isComment(c, end)) { ++readIdx; // skip the comment and the rest of the line - while (!isEndofLine(buffer[readIdx])) { + while (readIdx < len && !isEndofLine(buffer[readIdx])) { ++readIdx; } } @@ -548,8 +553,7 @@ char *OpenDDLParser::parseIdentifier(char *in, char *end, Text **id) { // get size of id size_t idLen(0); char *start(in); - while (!isSeparator(*in) && - !isNewLine(*in) && (in != end) && + while ((in != end) && !isSeparator(*in) && !isNewLine(*in) && *in != Grammar::OpenPropertyToken[0] && *in != Grammar::ClosePropertyToken[0] && *in != '$') { @@ -861,7 +865,7 @@ char *OpenDDLParser::parseProperty(char *in, char *end, Property **prop) { in = parseIdentifier(in, end, &id); if (nullptr != id) { in = lookForNextToken(in, end); - if (*in == '=') { + if (in != end && *in == '=') { ++in; in = getNextToken(in, end); Value *primData(nullptr); diff --git a/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h b/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h index 5f177f252..42ad675f8 100644 --- a/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h +++ b/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h @@ -318,7 +318,8 @@ static const unsigned char chartype_table[256] = { template inline bool isNumeric(const T in) { - return (chartype_table[static_cast(in)] == 1); + size_t idx = static_cast(in); + return idx < sizeof(chartype_table) && (chartype_table[idx] == 1); } template From 1909b3e8d27deed5acc93e7f9a0bf48b397e1788 Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Thu, 28 Oct 2021 23:33:07 -0400 Subject: [PATCH 09/13] Fix overflow in IOStreamBuffer `getNextLine` & `getNextDataLine` now double the buffer size each time it is needed to avoid writing out of bounds. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24465 --- include/assimp/IOStreamBuffer.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/assimp/IOStreamBuffer.h b/include/assimp/IOStreamBuffer.h index d54774759..bbb5ef256 100644 --- a/include/assimp/IOStreamBuffer.h +++ b/include/assimp/IOStreamBuffer.h @@ -261,6 +261,11 @@ AI_FORCE_INLINE bool IOStreamBuffer::getNextDataLine(std::vector &buffer, buffer[i] = m_cache[m_cachePos]; ++m_cachePos; ++i; + + if(i == buffer.size()) { + buffer.resize(buffer.size() * 2); + } + if (m_cachePos >= size()) { break; } @@ -308,6 +313,11 @@ AI_FORCE_INLINE bool IOStreamBuffer::getNextLine(std::vector &buffer) { buffer[i] = m_cache[m_cachePos]; ++m_cachePos; ++i; + + if(i == buffer.size()) { + buffer.resize(buffer.size() * 2); + } + if (m_cachePos >= m_cacheSize) { if (!readNextBlock()) { return false; From 6f07e89fdfb0ef3ca554ceac576aceb4420aa1c3 Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Thu, 28 Oct 2021 23:50:16 -0400 Subject: [PATCH 10/13] Fix out-of-bounds read in RemoveLineComments Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24553 --- code/Common/RemoveComments.cpp | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/code/Common/RemoveComments.cpp b/code/Common/RemoveComments.cpp index e1ba99761..9974e985a 100644 --- a/code/Common/RemoveComments.cpp +++ b/code/Common/RemoveComments.cpp @@ -64,20 +64,28 @@ void CommentRemover::RemoveLineComments(const char* szComment, if (len > lenBuffer) { len = lenBuffer; } - while (*szBuffer) { + + char *szCurrent = szBuffer; + while (*szCurrent) { // skip over quotes - if (*szBuffer == '\"' || *szBuffer == '\'') - while (*szBuffer++ && *szBuffer != '\"' && *szBuffer != '\''); - if (!strncmp(szBuffer,szComment,len)) { - while (!IsLineEnd(*szBuffer)) - *szBuffer++ = chReplacement; + if (*szCurrent == '\"' || *szCurrent == '\'') + while (*szCurrent++ && *szCurrent != '\"' && *szCurrent != '\''); - if (!*szBuffer) { + size_t lenRemaining = lenBuffer - (szCurrent - szBuffer); + if(lenRemaining < len) { + break; + } + + if (!strncmp(szCurrent,szComment,len)) { + while (!IsLineEnd(*szCurrent)) + *szCurrent++ = chReplacement; + + if (!*szCurrent) { break; } } - ++szBuffer; + ++szCurrent; } } From f28500dd0f69bda6402c3b6f92d25334c4415127 Mon Sep 17 00:00:00 2001 From: Daniel-Genkin Date: Fri, 29 Oct 2021 09:03:55 -0400 Subject: [PATCH 11/13] Fixed building of Android port --- include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h | 2 +- port/AndroidJNI/AndroidJNIIOSystem.cpp | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h b/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h index bb52d3065..29ad8e079 100644 --- a/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h +++ b/include/assimp/port/AndroidJNI/AndroidJNIIOSystem.h @@ -64,7 +64,7 @@ public: AndroidJNIIOSystem(ANativeActivity* activity); /// Class constructor with past and asset manager. - AndroidJNIIOSystem(const char *internalPath, AAssetManager assetManager); + AndroidJNIIOSystem(const char *internalPath, AAssetManager* assetManager); /// Destructor. ~AndroidJNIIOSystem(); diff --git a/port/AndroidJNI/AndroidJNIIOSystem.cpp b/port/AndroidJNI/AndroidJNIIOSystem.cpp index 00cf3af9c..e0f812362 100644 --- a/port/AndroidJNI/AndroidJNIIOSystem.cpp +++ b/port/AndroidJNI/AndroidJNIIOSystem.cpp @@ -67,8 +67,8 @@ AndroidJNIIOSystem::AndroidJNIIOSystem(ANativeActivity* activity) AndroidActivityInit(activity); } -AndroidJNIIOSystem::AndroidJNIIOSystem(const char *internalPath, AAssetManager assetManager) : - mApkWorkspacePath(internalDataPath), +AndroidJNIIOSystem::AndroidJNIIOSystem(const char *internalPath, AAssetManager* assetManager) : + mApkWorkspacePath(internalPath), mApkAssetManager(assetManager) { // empty } From e90061779637e4fe46798f2318fe26746d8dac78 Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Fri, 29 Oct 2021 09:17:40 -0400 Subject: [PATCH 12/13] Fix out-of-bounds read in FileSystemFilter::Cleanup Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33238 --- code/Common/FileSystemFilter.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/code/Common/FileSystemFilter.h b/code/Common/FileSystemFilter.h index 6782dd9e5..81576aa6c 100644 --- a/code/Common/FileSystemFilter.h +++ b/code/Common/FileSystemFilter.h @@ -300,13 +300,14 @@ private: const char separator = getOsSeparator(); for (it = in.begin(); it != in.end(); ++it) { + int remaining = std::distance(in.end(), it); // Exclude :// and \\, which remain untouched. // https://sourceforge.net/tracker/?func=detail&aid=3031725&group_id=226462&atid=1067632 - if ( !strncmp(&*it, "://", 3 )) { + if (remaining >= 3 && !strncmp(&*it, "://", 3 )) { it += 3; continue; } - if (it == in.begin() && !strncmp(&*it, "\\\\", 2)) { + if (it == in.begin() && remaining >= 2 && !strncmp(&*it, "\\\\", 2)) { it += 2; continue; } From 5a3401b69f0c3e7ba27aa96481e32b2618b7827e Mon Sep 17 00:00:00 2001 From: Kim Kulling Date: Tue, 2 Nov 2021 10:38:38 +0100 Subject: [PATCH 13/13] Update D3MFOpcPackage.cpp - Log an error in case of a nullptr-exception in reading out the 3MF-Archive - closes https://github.com/assimp/assimp/issues/4153 --- code/AssetLib/3MF/D3MFOpcPackage.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/AssetLib/3MF/D3MFOpcPackage.cpp b/code/AssetLib/3MF/D3MFOpcPackage.cpp index ac5b91e67..8d51a7417 100644 --- a/code/AssetLib/3MF/D3MFOpcPackage.cpp +++ b/code/AssetLib/3MF/D3MFOpcPackage.cpp @@ -149,7 +149,7 @@ D3MFOpcPackage::D3MFOpcPackage(IOSystem *pIOHandler, const std::string &rFile) : IOStream *fileStream = mZipArchive->Open(file.c_str()); if (nullptr == fileStream) { - ai_assert(fileStream != nullptr); + ASSIMP_LOG_ERROR("Filestream is nullptr."); continue; }