From 5bb1c6debdfa1a665ce2c1ba4b904772e688f8c6 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Wed, 31 May 2023 13:13:21 +0000
Subject: [PATCH] Fix UNKNOWN READ crash in UpdateMeshReferences

---
 code/PostProcessing/FindInvalidDataProcess.cpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/code/PostProcessing/FindInvalidDataProcess.cpp b/code/PostProcessing/FindInvalidDataProcess.cpp
index bb8e365a1..aa91139bc 100644
--- a/code/PostProcessing/FindInvalidDataProcess.cpp
+++ b/code/PostProcessing/FindInvalidDataProcess.cpp
@@ -82,6 +82,9 @@ void UpdateMeshReferences(aiNode *node, const std::vector<unsigned int> &meshMap
         for (unsigned int a = 0; a < node->mNumMeshes; ++a) {
 
             unsigned int ref = node->mMeshes[a];
+            if (ref >= meshMapping.size())
+                throw DeadlyImportError("Invalid mesh ref");
+
             if (UINT_MAX != (ref = meshMapping[ref])) {
                 node->mMeshes[out++] = ref;
             }
@@ -143,7 +146,13 @@ void FindInvalidDataProcess::Execute(aiScene *pScene) {
             // we need to remove some meshes.
             // therefore we'll also need to remove all references
             // to them from the scenegraph
-            UpdateMeshReferences(pScene->mRootNode, meshMapping);
+            try {
+                UpdateMeshReferences(pScene->mRootNode, meshMapping);
+            } catch (const std::exception&) {
+                // fix the real number of meshes otherwise we'll get double free in the scene destructor
+                pScene->mNumMeshes = real;
+                throw;
+            }
             pScene->mNumMeshes = real;
         }