v4games
/
assimp
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

A fuzzed stride could cause the max count to become negative and hence wrap around uint

pull/5414/head
Florian Born 2024-01-09 13:42:33 +01:00
parent c8ca1a48ec
commit 32873dc5b2
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
code/AssetLib/glTF2/glTF2Asset.inl
View File

@ -1000,10 +1000,10 @@ size_t Accessor::ExtractData(T *&outData, const std::vector<unsigned int> *remap
outData = new T[usedCount]; outData = new T[usedCount];
if (remappingIndices != nullptr) { if (remappingIndices != nullptr) {
const unsigned int maxIndex = static_cast<unsigned int>(maxSize / stride - 1); const unsigned int maxIndexCount = static_cast<unsigned int>(maxSize / stride);
for (size_t i = 0; i < usedCount; ++i) { for (size_t i = 0; i < usedCount; ++i) {
size_t srcIdx = (*remappingIndices)[i]; size_t srcIdx = (*remappingIndices)[i];
if (srcIdx > maxIndex) { if (srcIdx >= maxIndexCount) {
throw DeadlyImportError("GLTF: index*stride ", (srcIdx * stride), " > maxSize ", maxSize, " in ", getContextForErrorMessages(id, name)); throw DeadlyImportError("GLTF: index*stride ", (srcIdx * stride), " > maxSize ", maxSize, " in ", getContextForErrorMessages(id, name));
} }
memcpy(outData + i, data + srcIdx * stride, elemSize); memcpy(outData + i, data + srcIdx * stride, elemSize);