Merge pull request #4736 from assimp/kimkulling/fix_heap-buffer-overflow_in_md5_issue-4965

FIX: Fix head overflow in MD5-parser.
pull/4739/head
Kim Kulling 2022-09-20 21:52:13 +02:00 committed by GitHub
commit 65b14ef79d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 89 additions and 105 deletions

View File

@ -60,14 +60,11 @@ using namespace Assimp::MD5;
// ------------------------------------------------------------------------------------------------ // ------------------------------------------------------------------------------------------------
// Parse the segment structure for an MD5 file // Parse the segment structure for an MD5 file
MD5Parser::MD5Parser(char *_buffer, unsigned int _fileSize) { MD5Parser::MD5Parser(char *_buffer, unsigned int _fileSize) : buffer(_buffer), bufferEnd(nullptr), fileSize(_fileSize), lineNumber(0) {
ai_assert(nullptr != _buffer); ai_assert(nullptr != _buffer);
ai_assert(0 != _fileSize); ai_assert(0 != _fileSize);
buffer = _buffer; bufferEnd = buffer + fileSize;
fileSize = _fileSize;
lineNumber = 0;
ASSIMP_LOG_DEBUG("MD5Parser begin"); ASSIMP_LOG_DEBUG("MD5Parser begin");
// parse the file header // parse the file header

View File

@ -39,7 +39,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
---------------------------------------------------------------------- ----------------------------------------------------------------------
*/ */
#pragma once
/** @file MD5Parser.h /** @file MD5Parser.h
* @brief Definition of the .MD5 parser class. * @brief Definition of the .MD5 parser class.
@ -51,7 +51,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include <assimp/types.h> #include <assimp/types.h>
#include <assimp/ParsingUtils.h> #include <assimp/ParsingUtils.h>
#include <vector> #include <vector>
#include <stdint.h> #include <cstdint>
struct aiFace; struct aiFace;
@ -63,8 +63,7 @@ namespace MD5 {
* *
* Elements are always contained in sections. * Elements are always contained in sections.
*/ */
struct Element struct Element {
{
//! Points to the starting point of the element //! Points to the starting point of the element
//! Whitespace at the beginning and at the end have been removed, //! Whitespace at the beginning and at the end have been removed,
//! Elements are terminated with \0 //! Elements are terminated with \0
@ -75,15 +74,14 @@ struct Element
unsigned int iLineNumber; unsigned int iLineNumber;
}; };
typedef std::vector< Element > ElementList; using ElementList = std::vector<Element>;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Represents a section of a MD5 file (such as the mesh or the joints section) /** Represents a section of a MD5 file (such as the mesh or the joints section)
* *
* A section is always enclosed in { and } brackets. * A section is always enclosed in { and } brackets.
*/ */
struct Section struct Section {
{
//! Original line number (can be used in error messages //! Original line number (can be used in error messages
//! if a parsing error occurs) //! if a parsing error occurs)
unsigned int iLineNumber; unsigned int iLineNumber;
@ -99,13 +97,12 @@ struct Section
std::string mGlobalValue; std::string mGlobalValue;
}; };
typedef std::vector< Section> SectionList; using SectionList = std::vector<Section>;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Basic information about a joint /** Basic information about a joint
*/ */
struct BaseJointDescription struct BaseJointDescription {
{
//! Name of the bone //! Name of the bone
aiString mName; aiString mName;
@ -116,8 +113,7 @@ struct BaseJointDescription
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Represents a bone (joint) descriptor in a MD5Mesh file /** Represents a bone (joint) descriptor in a MD5Mesh file
*/ */
struct BoneDesc : BaseJointDescription struct BoneDesc : BaseJointDescription {
{
//! Absolute position of the bone //! Absolute position of the bone
aiVector3D mPositionXYZ; aiVector3D mPositionXYZ;
@ -137,13 +133,12 @@ struct BoneDesc : BaseJointDescription
unsigned int mMap; unsigned int mMap;
}; };
typedef std::vector< BoneDesc > BoneList; using BoneList = std::vector<BoneDesc>;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Represents a bone (joint) descriptor in a MD5Anim file /** Represents a bone (joint) descriptor in a MD5Anim file
*/ */
struct AnimBoneDesc : BaseJointDescription struct AnimBoneDesc : BaseJointDescription {
{
//! Flags (AI_MD5_ANIMATION_FLAG_xxx) //! Flags (AI_MD5_ANIMATION_FLAG_xxx)
unsigned int iFlags; unsigned int iFlags;
@ -151,35 +146,31 @@ struct AnimBoneDesc : BaseJointDescription
unsigned int iFirstKeyIndex; unsigned int iFirstKeyIndex;
}; };
typedef std::vector< AnimBoneDesc > AnimBoneList; using AnimBoneList = std::vector< AnimBoneDesc >;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Represents a base frame descriptor in a MD5Anim file /** Represents a base frame descriptor in a MD5Anim file
*/ */
struct BaseFrameDesc struct BaseFrameDesc {
{
aiVector3D vPositionXYZ; aiVector3D vPositionXYZ;
aiVector3D vRotationQuat; aiVector3D vRotationQuat;
}; };
typedef std::vector< BaseFrameDesc > BaseFrameList; using BaseFrameList = std::vector<BaseFrameDesc>;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Represents a camera animation frame in a MDCamera file /** Represents a camera animation frame in a MDCamera file
*/ */
struct CameraAnimFrameDesc : BaseFrameDesc struct CameraAnimFrameDesc : BaseFrameDesc {
{
float fFOV; float fFOV;
}; };
typedef std::vector< CameraAnimFrameDesc > CameraFrameList; using CameraFrameList = std::vector<CameraAnimFrameDesc>;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Represents a frame descriptor in a MD5Anim file /** Represents a frame descriptor in a MD5Anim file
*/ */
struct FrameDesc struct FrameDesc {
{
//! Index of the frame //! Index of the frame
unsigned int iIndex; unsigned int iIndex;
@ -187,15 +178,14 @@ struct FrameDesc
std::vector< float > mValues; std::vector< float > mValues;
}; };
typedef std::vector< FrameDesc > FrameList; using FrameList = std::vector<FrameDesc>;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Represents a vertex descriptor in a MD5 file /** Represents a vertex descriptor in a MD5 file
*/ */
struct VertexDesc { struct VertexDesc {
VertexDesc() AI_NO_EXCEPT VertexDesc() AI_NO_EXCEPT
: mFirstWeight(0) : mFirstWeight(0), mNumWeights(0) {
, mNumWeights(0) {
// empty // empty
} }
@ -210,13 +200,12 @@ struct VertexDesc {
unsigned int mNumWeights; unsigned int mNumWeights;
}; };
typedef std::vector< VertexDesc > VertexList; using VertexList = std::vector<VertexDesc>;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Represents a vertex weight descriptor in a MD5 file /** Represents a vertex weight descriptor in a MD5 file
*/ */
struct WeightDesc struct WeightDesc {
{
//! Index of the bone to which this weight refers //! Index of the bone to which this weight refers
unsigned int mBone; unsigned int mBone;
@ -228,14 +217,13 @@ struct WeightDesc
aiVector3D vOffsetPosition; aiVector3D vOffsetPosition;
}; };
typedef std::vector< WeightDesc > WeightList; using WeightList = std::vector<WeightDesc>;
typedef std::vector< aiFace > FaceList; using FaceList = std::vector<aiFace>;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Represents a mesh in a MD5 file /** Represents a mesh in a MD5 file
*/ */
struct MeshDesc struct MeshDesc {
{
//! Weights of the mesh //! Weights of the mesh
WeightList mWeights; WeightList mWeights;
@ -249,7 +237,7 @@ struct MeshDesc
aiString mShader; aiString mShader;
}; };
typedef std::vector< MeshDesc > MeshList; using MeshList = std::vector<MeshDesc>;
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
// Convert a quaternion to its usual representation // Convert a quaternion to its usual representation
@ -261,9 +249,11 @@ inline void ConvertQuaternion (const aiVector3D& in, aiQuaternion& out) {
const float t = 1.0f - (in.x*in.x) - (in.y*in.y) - (in.z*in.z); const float t = 1.0f - (in.x*in.x) - (in.y*in.y) - (in.z*in.z);
if (t < 0.0f) if (t < 0.0f) {
out.w = 0.0f; out.w = 0.0f;
else out.w = std::sqrt (t); } else {
out.w = std::sqrt (t);
}
// Assimp convention. // Assimp convention.
out.w *= -1.f; out.w *= -1.f;
@ -272,10 +262,8 @@ inline void ConvertQuaternion (const aiVector3D& in, aiQuaternion& out) {
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Parses the data sections of a MD5 mesh file /** Parses the data sections of a MD5 mesh file
*/ */
class MD5MeshParser class MD5MeshParser {
{
public: public:
// ------------------------------------------------------------------- // -------------------------------------------------------------------
/** Constructs a new MD5MeshParser instance from an existing /** Constructs a new MD5MeshParser instance from an existing
* preparsed list of file sections. * preparsed list of file sections.
@ -297,10 +285,8 @@ public:
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Parses the data sections of a MD5 animation file /** Parses the data sections of a MD5 animation file
*/ */
class MD5AnimParser class MD5AnimParser {
{
public: public:
// ------------------------------------------------------------------- // -------------------------------------------------------------------
/** Constructs a new MD5AnimParser instance from an existing /** Constructs a new MD5AnimParser instance from an existing
* preparsed list of file sections. * preparsed list of file sections.
@ -329,10 +315,8 @@ public:
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** Parses the data sections of a MD5 camera animation file /** Parses the data sections of a MD5 camera animation file
*/ */
class MD5CameraParser class MD5CameraParser {
{
public: public:
// ------------------------------------------------------------------- // -------------------------------------------------------------------
/** Constructs a new MD5CameraParser instance from an existing /** Constructs a new MD5CameraParser instance from an existing
* preparsed list of file sections. * preparsed list of file sections.
@ -341,7 +325,6 @@ public:
*/ */
explicit MD5CameraParser(SectionList& mSections); explicit MD5CameraParser(SectionList& mSections);
//! Output frame rate //! Output frame rate
float fFrameRate; float fFrameRate;
@ -356,10 +339,8 @@ public:
/** Parses the block structure of MD5MESH and MD5ANIM files (but does no /** Parses the block structure of MD5MESH and MD5ANIM files (but does no
* further processing) * further processing)
*/ */
class MD5Parser class MD5Parser {
{
public: public:
// ------------------------------------------------------------------- // -------------------------------------------------------------------
/** Constructs a new MD5Parser instance from an existing buffer. /** Constructs a new MD5Parser instance from an existing buffer.
* *
@ -392,13 +373,10 @@ public:
return ReportWarning(warn, lineNumber); return ReportWarning(warn, lineNumber);
} }
public:
//! List of all sections which have been read //! List of all sections which have been read
SectionList mSections; SectionList mSections;
private: private:
// ------------------------------------------------------------------- // -------------------------------------------------------------------
/** Parses a file section. The current file pointer must be outside /** Parses a file section. The current file pointer must be outside
* of a section. * of a section.
@ -414,22 +392,31 @@ private:
*/ */
void ParseHeader(); void ParseHeader();
bool SkipLine(const char* in, const char** out);
bool SkipLine( );
bool SkipSpacesAndLineEnd( const char* in, const char** out);
bool SkipSpacesAndLineEnd();
bool SkipSpaces();
// override these functions to make sure the line counter gets incremented char* buffer;
// ------------------------------------------------------------------- char* bufferEnd;
bool SkipLine( const char* in, const char** out) unsigned int fileSize;
{ unsigned int lineNumber;
};
// -------------------------------------------------------------------
inline bool MD5Parser::SkipLine(const char* in, const char** out) {
++lineNumber; ++lineNumber;
return Assimp::SkipLine(in,out); return Assimp::SkipLine(in ,out);
} }
// -------------------------------------------------------------------
bool SkipLine( ) // -------------------------------------------------------------------
{ inline bool MD5Parser::SkipLine( ) {
return SkipLine(buffer,(const char**)&buffer); return SkipLine(buffer,(const char**)&buffer);
} }
// -------------------------------------------------------------------
bool SkipSpacesAndLineEnd( const char* in, const char** out) // -------------------------------------------------------------------
{ inline bool MD5Parser::SkipSpacesAndLineEnd( const char* in, const char** out) {
bool bHad = false; bool bHad = false;
bool running = true; bool running = true;
while (running) { while (running) {
@ -442,26 +429,26 @@ private:
} }
else if (*in == '\t' || *in == ' ')bHad = false; else if (*in == '\t' || *in == ' ')bHad = false;
else break; else break;
in++; ++in;
if (in == bufferEnd) {
break;
}
} }
*out = in; *out = in;
return *in != '\0'; return *in != '\0';
} }
// -------------------------------------------------------------------
bool SkipSpacesAndLineEnd( )
{
return SkipSpacesAndLineEnd(buffer,(const char**)&buffer);
}
// -------------------------------------------------------------------
bool SkipSpaces( )
{
return Assimp::SkipSpaces((const char**)&buffer);
}
char* buffer; // -------------------------------------------------------------------
unsigned int fileSize; inline bool MD5Parser::SkipSpacesAndLineEnd() {
unsigned int lineNumber; return SkipSpacesAndLineEnd(buffer,(const char**)&buffer);
}; }
}}
// -------------------------------------------------------------------
inline bool MD5Parser::SkipSpaces() {
return Assimp::SkipSpaces((const char**)&buffer);
}
} // namespace Assimp
} // namespace MD5
#endif // AI_MD5PARSER_H_INCLUDED #endif // AI_MD5PARSER_H_INCLUDED