From 8d2af995de379e6125f25189e6de152ec165bdce Mon Sep 17 00:00:00 2001
From: Turo Lamminen <turotl@gmail.com>
Date: Sat, 12 Mar 2016 23:48:05 +0200
Subject: [PATCH] MD2: Fix integer overflows on malformed input

---
 code/MD2Loader.cpp | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/code/MD2Loader.cpp b/code/MD2Loader.cpp
index 4b7bbe67a..5e73d89fa 100644
--- a/code/MD2Loader.cpp
+++ b/code/MD2Loader.cpp
@@ -169,6 +169,26 @@ void MD2Importer::ValidateHeader( )
     if (m_pcHeader->offsetEnd > (uint32_t)fileSize)
         throw DeadlyImportError( "Invalid md2 file: File is too small");
 
+    if (m_pcHeader->numSkins > AI_MAX_ALLOC(MD2::Skin)) {
+        throw DeadlyImportError("Invalid MD2 header: too many skins, would overflow");
+    }
+
+    if (m_pcHeader->numVertices > AI_MAX_ALLOC(MD2::Vertex)) {
+        throw DeadlyImportError("Invalid MD2 header: too many vertices, would overflow");
+    }
+
+    if (m_pcHeader->numTexCoords > AI_MAX_ALLOC(MD2::TexCoord)) {
+        throw DeadlyImportError("Invalid MD2 header: too many texcoords, would overflow");
+    }
+
+    if (m_pcHeader->numTriangles > AI_MAX_ALLOC(MD2::Triangle)) {
+        throw DeadlyImportError("Invalid MD2 header: too many triangles, would overflow");
+    }
+
+    if (m_pcHeader->numFrames > AI_MAX_ALLOC(MD2::Frame)) {
+        throw DeadlyImportError("Invalid MD2 header: too many frames, would overflow");
+    }
+
     if (m_pcHeader->offsetSkins     + m_pcHeader->numSkins * sizeof (MD2::Skin)         >= fileSize ||
         m_pcHeader->offsetTexCoords + m_pcHeader->numTexCoords * sizeof (MD2::TexCoord) >= fileSize ||
         m_pcHeader->offsetTriangles + m_pcHeader->numTriangles * sizeof (MD2::Triangle) >= fileSize ||