A fuzzed stride could cause the max count to become negative and hence wrap around uint (#5414)

Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
2024-07-23 16:17:54 +02:00 · 2024-07-23 16:17:54 +02:00 · 76de7cedf4
parent c55158cd82
commit 76de7cedf4
1 changed files with 2 additions and 2 deletions
--- a/code/AssetLib/glTF2/glTF2Asset.inl
+++ b/code/AssetLib/glTF2/glTF2Asset.inl
@ -1036,10 +1036,10 @@ size_t Accessor::ExtractData(T *&outData, const std::vector<unsigned int> *remap
    outData = new T[usedCount];
    if (remappingIndices != nullptr) {
-        const unsigned int maxIndex = static_cast<unsigned int>(maxSize / stride - 1);
+        const unsigned int maxIndexCount = static_cast<unsigned int>(maxSize / stride);
        for (size_t i = 0; i < usedCount; ++i) {
            size_t srcIdx = (*remappingIndices)[i];
-            if (srcIdx > maxIndex) {
+            if (srcIdx >= maxIndexCount) {
                throw DeadlyImportError("GLTF: index*stride ", (srcIdx * stride), " > maxSize ", maxSize, " in ", getContextForErrorMessages(id, name));
            }
            memcpy(outData + i, data + srcIdx * stride, elemSize);