From 5cc4a61d66cf234cfa59d7a1914ab4462bcb583a Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Wed, 31 May 2023 06:28:03 +0000
Subject: [PATCH] Fix Heap-buffer-overflow READ in
 Assimp::MD5::MD5MeshParser::MD5MeshParser

---
 code/AssetLib/MD5/MD5Parser.cpp | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp
index dce4c5732..97dedab71 100644
--- a/code/AssetLib/MD5/MD5Parser.cpp
+++ b/code/AssetLib/MD5/MD5Parser.cpp
@@ -228,15 +228,20 @@ bool MD5Parser::ParseSection(Section &out) {
     out.data[out.length] = '\0';
 
 // parse a string, enclosed in quotation marks
-#define AI_MD5_PARSE_STRING_IN_QUOTATION(out)  \
-    while ('\"' != *sz)                        \
-        ++sz;                                  \
-    const char *szStart = ++sz;                \
-    while ('\"' != *sz)                        \
-        ++sz;                                  \
-    const char *szEnd = (sz++);                \
-    out.length = (ai_uint32)(szEnd - szStart); \
-    ::memcpy(out.data, szStart, out.length);   \
+#define AI_MD5_PARSE_STRING_IN_QUOTATION(out)          \
+    out.length = 0;                                    \
+    while ('\"' != *sz && '\0' != *sz)                 \
+        ++sz;                                          \
+    if ('\0' != *sz) {                                 \
+        const char *szStart = ++sz;                    \
+        while ('\"' != *sz && '\0' != *sz)             \
+            ++sz;                                      \
+        if ('\0' != *sz) {                             \
+            const char *szEnd = (sz++);                \
+            out.length = (ai_uint32)(szEnd - szStart); \
+            ::memcpy(out.data, szStart, out.length);   \
+        }                                              \
+    }                                                  \
     out.data[out.length] = '\0';
 // ------------------------------------------------------------------------------------------------
 // .MD5MESH parsing function