Fix buffer overflow in MD3Loader (#5763)
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>pull/5764/head^2
parent
d468e633b1
commit
3bd98611d7
|
@ -724,6 +724,7 @@ void MD3Importer::InternReadFile(const std::string &pFile, aiScene *pScene, IOSy
|
||||||
std::vector<unsigned char> mBuffer2(fileSize);
|
std::vector<unsigned char> mBuffer2(fileSize);
|
||||||
file->Read(&mBuffer2[0], 1, fileSize);
|
file->Read(&mBuffer2[0], 1, fileSize);
|
||||||
mBuffer = &mBuffer2[0];
|
mBuffer = &mBuffer2[0];
|
||||||
|
const unsigned char* bufferEnd = mBuffer + fileSize;
|
||||||
|
|
||||||
pcHeader = (BE_NCONST MD3::Header *)mBuffer;
|
pcHeader = (BE_NCONST MD3::Header *)mBuffer;
|
||||||
|
|
||||||
|
@ -749,9 +750,15 @@ void MD3Importer::InternReadFile(const std::string &pFile, aiScene *pScene, IOSy
|
||||||
|
|
||||||
// Navigate to the list of surfaces
|
// Navigate to the list of surfaces
|
||||||
BE_NCONST MD3::Surface *pcSurfaces = (BE_NCONST MD3::Surface *)(mBuffer + pcHeader->OFS_SURFACES);
|
BE_NCONST MD3::Surface *pcSurfaces = (BE_NCONST MD3::Surface *)(mBuffer + pcHeader->OFS_SURFACES);
|
||||||
|
if ((const unsigned char*)pcSurfaces + sizeof(MD3::Surface) * pcHeader->NUM_SURFACES > bufferEnd) {
|
||||||
|
throw DeadlyImportError("MD3 surface headers are outside the file");
|
||||||
|
}
|
||||||
|
|
||||||
// Navigate to the list of tags
|
// Navigate to the list of tags
|
||||||
BE_NCONST MD3::Tag *pcTags = (BE_NCONST MD3::Tag *)(mBuffer + pcHeader->OFS_TAGS);
|
BE_NCONST MD3::Tag *pcTags = (BE_NCONST MD3::Tag *)(mBuffer + pcHeader->OFS_TAGS);
|
||||||
|
if ((const unsigned char*)pcTags + sizeof(MD3::Tag) * pcHeader->NUM_TAGS > bufferEnd) {
|
||||||
|
throw DeadlyImportError("MD3 tags are outside the file");
|
||||||
|
}
|
||||||
|
|
||||||
// Allocate output storage
|
// Allocate output storage
|
||||||
pScene->mNumMeshes = pcHeader->NUM_SURFACES;
|
pScene->mNumMeshes = pcHeader->NUM_SURFACES;
|
||||||
|
@ -1026,6 +1033,10 @@ void MD3Importer::InternReadFile(const std::string &pFile, aiScene *pScene, IOSy
|
||||||
|
|
||||||
for (unsigned int i = 0; i < pcHeader->NUM_TAGS; ++i, ++pcTags) {
|
for (unsigned int i = 0; i < pcHeader->NUM_TAGS; ++i, ++pcTags) {
|
||||||
aiNode *nd = pScene->mRootNode->mChildren[i] = new aiNode();
|
aiNode *nd = pScene->mRootNode->mChildren[i] = new aiNode();
|
||||||
|
if ((const unsigned char*)pcTags + sizeof(MD3::Tag) > bufferEnd) {
|
||||||
|
throw DeadlyImportError("MD3 tag is outside the file");
|
||||||
|
}
|
||||||
|
|
||||||
nd->mName.Set((const char *)pcTags->NAME);
|
nd->mName.Set((const char *)pcTags->NAME);
|
||||||
nd->mParent = pScene->mRootNode;
|
nd->mParent = pScene->mRootNode;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue