From 30f17aa2064b86c0096f0ec701b9e8ea9312fef2 Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Thu, 28 Oct 2021 21:32:38 -0400 Subject: [PATCH] Fix heap out-of-bounds write in _m3d_safestr While there is a 256 character limit when computing the length of the newly allocated strength, that limit was missing when copying the string. This commit adds a new length check in the copy loop, preventing it from writhing out of bounds. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 --- code/AssetLib/M3D/m3d.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/AssetLib/M3D/m3d.h b/code/AssetLib/M3D/m3d.h index b148c11d7..875007eab 100644 --- a/code/AssetLib/M3D/m3d.h +++ b/code/AssetLib/M3D/m3d.h @@ -896,7 +896,7 @@ char *_m3d_safestr(char *in, int morelines) { if (!out) return NULL; while (*i == ' ' || *i == '\t' || *i == '\r' || (morelines && *i == '\n')) i++; - for (; *i && (morelines || (*i != '\r' && *i != '\n')); i++) { + for (; *i && (morelines || (*i != '\r' && *i != '\n')) && o - out < l; i++) { if (*i == '\r') continue; if (*i == '\n') { if (morelines >= 3 && o > out && *(o - 1) == '\n') break;