diff --git a/code/AssetLib/HMP/HMPLoader.cpp b/code/AssetLib/HMP/HMPLoader.cpp index 97c1858fb..661e4d1b2 100644 --- a/code/AssetLib/HMP/HMPLoader.cpp +++ b/code/AssetLib/HMP/HMPLoader.cpp @@ -451,6 +451,7 @@ void HMPImporter::ReadFirstSkin(unsigned int iNumSkins, const unsigned char *szC // now we need to skip any other skins ... for (unsigned int i = 1; i < iNumSkins; ++i) { + SizeCheck(szCursor + 3 * sizeof(uint32_t)); iType = *((uint32_t *)szCursor); szCursor += sizeof(uint32_t); iWidth = *((uint32_t *)szCursor); diff --git a/code/AssetLib/M3D/m3d.h b/code/AssetLib/M3D/m3d.h index b148c11d7..875007eab 100644 --- a/code/AssetLib/M3D/m3d.h +++ b/code/AssetLib/M3D/m3d.h @@ -896,7 +896,7 @@ char *_m3d_safestr(char *in, int morelines) { if (!out) return NULL; while (*i == ' ' || *i == '\t' || *i == '\r' || (morelines && *i == '\n')) i++; - for (; *i && (morelines || (*i != '\r' && *i != '\n')); i++) { + for (; *i && (morelines || (*i != '\r' && *i != '\n')) && o - out < l; i++) { if (*i == '\r') continue; if (*i == '\n') { if (morelines >= 3 && o > out && *(o - 1) == '\n') break; diff --git a/code/AssetLib/MDL/MDLLoader.cpp b/code/AssetLib/MDL/MDLLoader.cpp index 40475021b..c59375da0 100644 --- a/code/AssetLib/MDL/MDLLoader.cpp +++ b/code/AssetLib/MDL/MDLLoader.cpp @@ -600,7 +600,7 @@ void MDLImporter::InternReadFile_3DGS_MDL345() { // need to read all textures for (unsigned int i = 0; i < (unsigned int)pcHeader->num_skins; ++i) { - if (szCurrent >= szEnd) { + if (szCurrent + sizeof(uint32_t) > szEnd) { throw DeadlyImportError("Texture data past end of file."); } BE_NCONST MDL::Skin *pcSkin; diff --git a/code/AssetLib/MDL/MDLMaterialLoader.cpp b/code/AssetLib/MDL/MDLMaterialLoader.cpp index f44896819..62320814a 100644 --- a/code/AssetLib/MDL/MDLMaterialLoader.cpp +++ b/code/AssetLib/MDL/MDLMaterialLoader.cpp @@ -132,6 +132,9 @@ void MDLImporter::CreateTextureARGB8_3DGS_MDL3(const unsigned char *szData) { pcNew->mWidth = pcHeader->skinwidth; pcNew->mHeight = pcHeader->skinheight; + if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) { + throw DeadlyImportError("Invalid MDL file. A texture is too big."); + } pcNew->pcData = new aiTexel[pcNew->mWidth * pcNew->mHeight]; const unsigned char *szColorMap; @@ -217,6 +220,9 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData, // allocate storage for the texture image if (do_read) { + if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) { + throw DeadlyImportError("Invalid MDL file. A texture is too big."); + } pcNew->pcData = new aiTexel[pcNew->mWidth * pcNew->mHeight]; } diff --git a/code/Common/FileSystemFilter.h b/code/Common/FileSystemFilter.h index 6782dd9e5..81576aa6c 100644 --- a/code/Common/FileSystemFilter.h +++ b/code/Common/FileSystemFilter.h @@ -300,13 +300,14 @@ private: const char separator = getOsSeparator(); for (it = in.begin(); it != in.end(); ++it) { + int remaining = std::distance(in.end(), it); // Exclude :// and \\, which remain untouched. // https://sourceforge.net/tracker/?func=detail&aid=3031725&group_id=226462&atid=1067632 - if ( !strncmp(&*it, "://", 3 )) { + if (remaining >= 3 && !strncmp(&*it, "://", 3 )) { it += 3; continue; } - if (it == in.begin() && !strncmp(&*it, "\\\\", 2)) { + if (it == in.begin() && remaining >= 2 && !strncmp(&*it, "\\\\", 2)) { it += 2; continue; } diff --git a/code/Common/RemoveComments.cpp b/code/Common/RemoveComments.cpp index e1ba99761..9974e985a 100644 --- a/code/Common/RemoveComments.cpp +++ b/code/Common/RemoveComments.cpp @@ -64,20 +64,28 @@ void CommentRemover::RemoveLineComments(const char* szComment, if (len > lenBuffer) { len = lenBuffer; } - while (*szBuffer) { + + char *szCurrent = szBuffer; + while (*szCurrent) { // skip over quotes - if (*szBuffer == '\"' || *szBuffer == '\'') - while (*szBuffer++ && *szBuffer != '\"' && *szBuffer != '\''); - if (!strncmp(szBuffer,szComment,len)) { - while (!IsLineEnd(*szBuffer)) - *szBuffer++ = chReplacement; + if (*szCurrent == '\"' || *szCurrent == '\'') + while (*szCurrent++ && *szCurrent != '\"' && *szCurrent != '\''); - if (!*szBuffer) { + size_t lenRemaining = lenBuffer - (szCurrent - szBuffer); + if(lenRemaining < len) { + break; + } + + if (!strncmp(szCurrent,szComment,len)) { + while (!IsLineEnd(*szCurrent)) + *szCurrent++ = chReplacement; + + if (!*szCurrent) { break; } } - ++szBuffer; + ++szCurrent; } } diff --git a/contrib/openddlparser/code/OpenDDLParser.cpp b/contrib/openddlparser/code/OpenDDLParser.cpp index 0c9e0bd98..e2bef97a7 100644 --- a/contrib/openddlparser/code/OpenDDLParser.cpp +++ b/contrib/openddlparser/code/OpenDDLParser.cpp @@ -292,12 +292,15 @@ char *OpenDDLParser::parseHeader(char *in, char *end) { Property *first(nullptr); in = lookForNextToken(in, end); - if (*in == Grammar::OpenPropertyToken[0]) { + if (in != end && *in == Grammar::OpenPropertyToken[0]) { in++; Property *prop(nullptr), *prev(nullptr); - while (*in != Grammar::ClosePropertyToken[0] && in != end) { + while (in != end && *in != Grammar::ClosePropertyToken[0]) { in = OpenDDLParser::parseProperty(in, end, &prop); in = lookForNextToken(in, end); + if(in == end) { + break; + } if (*in != Grammar::CommaSeparator[0] && *in != Grammar::ClosePropertyToken[0]) { logInvalidTokenError(in, Grammar::ClosePropertyToken, m_logCallback); @@ -314,7 +317,9 @@ char *OpenDDLParser::parseHeader(char *in, char *end) { prev = prop; } } - ++in; + if(in != end) { + ++in; + } } // set the properties @@ -479,7 +484,7 @@ void OpenDDLParser::normalizeBuffer(std::vector &buffer) { // check for a comment if (isCommentOpenTag(c, end)) { ++readIdx; - while (!isCommentCloseTag(&buffer[readIdx], end)) { + while (readIdx < len && !isCommentCloseTag(&buffer[readIdx], end)) { ++readIdx; } ++readIdx; @@ -489,7 +494,7 @@ void OpenDDLParser::normalizeBuffer(std::vector &buffer) { if (isComment(c, end)) { ++readIdx; // skip the comment and the rest of the line - while (!isEndofLine(buffer[readIdx])) { + while (readIdx < len && !isEndofLine(buffer[readIdx])) { ++readIdx; } } @@ -548,8 +553,7 @@ char *OpenDDLParser::parseIdentifier(char *in, char *end, Text **id) { // get size of id size_t idLen(0); char *start(in); - while (!isSeparator(*in) && - !isNewLine(*in) && (in != end) && + while ((in != end) && !isSeparator(*in) && !isNewLine(*in) && *in != Grammar::OpenPropertyToken[0] && *in != Grammar::ClosePropertyToken[0] && *in != '$') { @@ -861,7 +865,7 @@ char *OpenDDLParser::parseProperty(char *in, char *end, Property **prop) { in = parseIdentifier(in, end, &id); if (nullptr != id) { in = lookForNextToken(in, end); - if (*in == '=') { + if (in != end && *in == '=') { ++in; in = getNextToken(in, end); Value *primData(nullptr); diff --git a/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h b/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h index 5f177f252..42ad675f8 100644 --- a/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h +++ b/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h @@ -318,7 +318,8 @@ static const unsigned char chartype_table[256] = { template inline bool isNumeric(const T in) { - return (chartype_table[static_cast(in)] == 1); + size_t idx = static_cast(in); + return idx < sizeof(chartype_table) && (chartype_table[idx] == 1); } template diff --git a/include/assimp/IOStreamBuffer.h b/include/assimp/IOStreamBuffer.h index d54774759..bbb5ef256 100644 --- a/include/assimp/IOStreamBuffer.h +++ b/include/assimp/IOStreamBuffer.h @@ -261,6 +261,11 @@ AI_FORCE_INLINE bool IOStreamBuffer::getNextDataLine(std::vector &buffer, buffer[i] = m_cache[m_cachePos]; ++m_cachePos; ++i; + + if(i == buffer.size()) { + buffer.resize(buffer.size() * 2); + } + if (m_cachePos >= size()) { break; } @@ -308,6 +313,11 @@ AI_FORCE_INLINE bool IOStreamBuffer::getNextLine(std::vector &buffer) { buffer[i] = m_cache[m_cachePos]; ++m_cachePos; ++i; + + if(i == buffer.size()) { + buffer.resize(buffer.size() * 2); + } + if (m_cachePos >= m_cacheSize) { if (!readNextBlock()) { return false;