Merge pull request #523 from turol/afl-fixes

More crash fixes
pull/591/merge
Kim Kulling 2015-06-22 16:56:51 +02:00
commit 85e2f47dc8
6 changed files with 24 additions and 7 deletions

View File

@ -284,6 +284,9 @@ void AC3DImporter::LoadObjectSection(std::vector<Object>& objects)
SkipSpaces(&buffer); SkipSpaces(&buffer);
unsigned int t = strtoul10(buffer,&buffer); unsigned int t = strtoul10(buffer,&buffer);
if (t >= std::numeric_limits<int32_t>::max() / sizeof(aiVector3D)) {
throw DeadlyImportError("AC3D: Too many vertices, would run out of memory");
}
obj.vertices.reserve(t); obj.vertices.reserve(t);
for (unsigned int i = 0; i < t;++i) for (unsigned int i = 0; i < t;++i)
{ {
@ -608,6 +611,9 @@ aiNode* AC3DImporter::ConvertObjectSection(Object& object,
face.mIndices[i] = cur++; face.mIndices[i] = cur++;
// copy vertex positions // copy vertex positions
if ((vertices - mesh->mVertices) >= mesh->mNumVertices) {
throw DeadlyImportError("AC3D: Invalid number of vertices");
}
*vertices = object.vertices[entry.first] + object.translation; *vertices = object.vertices[entry.first] + object.translation;
@ -639,6 +645,10 @@ aiNode* AC3DImporter::ConvertObjectSection(Object& object,
face.mIndices[1] = cur++; face.mIndices[1] = cur++;
// copy vertex positions // copy vertex positions
if (it2 == (*it).entries.end() ) {
throw DeadlyImportError("AC3D: Bad line");
}
ai_assert((*it2).first < object.vertices.size());
*vertices++ = object.vertices[(*it2).first]; *vertices++ = object.vertices[(*it2).first];
// copy texture coordinates // copy texture coordinates

View File

@ -169,7 +169,6 @@ void Logger::debug(const char* message) {
// sometimes importers will include data from the input file // sometimes importers will include data from the input file
// (i.e. node names) in their messages. // (i.e. node names) in their messages.
if (strlen(message)>MAX_LOG_MESSAGE_LENGTH) { if (strlen(message)>MAX_LOG_MESSAGE_LENGTH) {
ai_assert(false);
return; return;
} }
return OnDebug(message); return OnDebug(message);
@ -180,7 +179,6 @@ void Logger::info(const char* message) {
// SECURITY FIX: see above // SECURITY FIX: see above
if (strlen(message)>MAX_LOG_MESSAGE_LENGTH) { if (strlen(message)>MAX_LOG_MESSAGE_LENGTH) {
ai_assert(false);
return; return;
} }
return OnInfo(message); return OnInfo(message);
@ -191,7 +189,6 @@ void Logger::warn(const char* message) {
// SECURITY FIX: see above // SECURITY FIX: see above
if (strlen(message)>MAX_LOG_MESSAGE_LENGTH) { if (strlen(message)>MAX_LOG_MESSAGE_LENGTH) {
ai_assert(false);
return; return;
} }
return OnWarn(message); return OnWarn(message);
@ -202,7 +199,6 @@ void Logger::error(const char* message) {
// SECURITY FIX: see above // SECURITY FIX: see above
if (strlen(message)>MAX_LOG_MESSAGE_LENGTH) { if (strlen(message)>MAX_LOG_MESSAGE_LENGTH) {
ai_assert(false);
return; return;
} }
return OnError(message); return OnError(message);

View File

@ -478,6 +478,9 @@ void MD3Importer::ReadSkin(Q3Shader::SkinData& fill) const
std::string::size_type s = filename.find_last_of('_'); std::string::size_type s = filename.find_last_of('_');
if (s == std::string::npos) { if (s == std::string::npos) {
s = filename.find_last_of('.'); s = filename.find_last_of('.');
if (s == std::string::npos) {
s = filename.size();
}
} }
ai_assert(s != std::string::npos); ai_assert(s != std::string::npos);
@ -539,7 +542,9 @@ bool MD3Importer::ReadMultipartFile()
{ {
// check whether the file name contains a common postfix, e.g lower_2.md3 // check whether the file name contains a common postfix, e.g lower_2.md3
std::string::size_type s = filename.find_last_of('_'), t = filename.find_last_of('.'); std::string::size_type s = filename.find_last_of('_'), t = filename.find_last_of('.');
ai_assert(t != std::string::npos);
if (t == std::string::npos)
t = filename.size();
if (s == std::string::npos) if (s == std::string::npos)
s = t; s = t;

View File

@ -431,7 +431,9 @@ void ObjFileImporter::createVertexArray(const ObjFile::Model* pModel,
pMesh->mTextureCoords[ 0 ][ newIndex ] = aiVector3D( coord3d.x, coord3d.y, coord3d.z ); pMesh->mTextureCoords[ 0 ][ newIndex ] = aiVector3D( coord3d.x, coord3d.y, coord3d.z );
} }
ai_assert( pMesh->mNumVertices > newIndex ); if ( pMesh->mNumVertices <= newIndex ) {
throw DeadlyImportError("OBJ: bad vertex index");
}
// Get destination face // Get destination face
aiFace *pDestFace = &pMesh->mFaces[ outIndex ]; aiFace *pDestFace = &pMesh->mFaces[ outIndex ];

View File

@ -265,7 +265,7 @@ void ObjFileParser::getVector( std::vector<aiVector3D> &point3d_array ) {
copyNextWord( m_buffer, BUFFERSIZE ); copyNextWord( m_buffer, BUFFERSIZE );
z = ( float ) fast_atof( m_buffer ); z = ( float ) fast_atof( m_buffer );
} else { } else {
ai_assert( !"Invalid number of components" ); throw DeadlyImportError( "OBJ: Invalid number of components" );
} }
point3d_array.push_back( aiVector3D( x, y, z ) ); point3d_array.push_back( aiVector3D( x, y, z ) );
m_DataIt = skipLine<DataArrayIt>( m_DataIt, m_DataItEnd, m_uiLine ); m_DataIt = skipLine<DataArrayIt>( m_DataIt, m_DataItEnd, m_uiLine );

View File

@ -165,6 +165,10 @@ void XFileImporter::CreateDataRepresentationFromImport( aiScene* pScene, XFile::
CreateMeshes( pScene, pScene->mRootNode, pData->mGlobalMeshes); CreateMeshes( pScene, pScene->mRootNode, pData->mGlobalMeshes);
} }
if (!pScene->mRootNode) {
throw DeadlyImportError( "No root node" );
}
// Convert everything to OpenGL space... it's the same operation as the conversion back, so we can reuse the step directly // Convert everything to OpenGL space... it's the same operation as the conversion back, so we can reuse the step directly
MakeLeftHandedProcess convertProcess; MakeLeftHandedProcess convertProcess;
convertProcess.Execute( pScene); convertProcess.Execute( pScene);