v4games
/
assimp
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix heap out-of-bounds write in _m3d_safestr 

While there is a 256 character limit when computing the length of the
newly allocated strength, that limit was missing when copying the
string. This commit adds a new length check in the copy loop, preventing
it from writhing out of bounds.

Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416
pull/4146/head
Alex Rebert 2021-10-28 21:32:38 -04:00
parent d273a784d0
commit 30f17aa206
No known key found for this signature in database
GPG Key ID: E082090D746F1A81
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
code/AssetLib/M3D/m3d.h
View File

@ -896,7 +896,7 @@ char *_m3d_safestr(char *in, int morelines) {
if (!out) return NULL; if (!out) return NULL;
while (*i == ' ' || *i == '\t' || *i == '\r' || (morelines && *i == '\n')) while (*i == ' ' || *i == '\t' || *i == '\r' || (morelines && *i == '\n'))
i++; i++;
for (; *i && (morelines || (*i != '\r' && *i != '\n')); i++) { for (; *i && (morelines || (*i != '\r' && *i != '\n')) && o - out < l; i++) {
if (*i == '\r') continue; if (*i == '\r') continue;
if (*i == '\n') { if (*i == '\n') {
if (morelines >= 3 && o > out && *(o - 1) == '\n') break; if (morelines >= 3 && o > out && *(o - 1) == '\n') break;