v4games
/
assimp
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #5110 from sashashura/4890437695700992 

Fix Heap-buffer-overflow READ in Assimp::MD5::MD5MeshParser::MD5MeshParser
pull/5090/head
Kim Kulling 2023-06-08 13:15:35 +02:00 committed by GitHub
parent d5844f26b5 11dede8fc4
commit 9950bb4ed6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
code/AssetLib/MD5/MD5Parser.cpp
View File

@ -229,14 +229,19 @@ bool MD5Parser::ParseSection(Section &out) {
// parse a string, enclosed in quotation marks // parse a string, enclosed in quotation marks
#define AI_MD5_PARSE_STRING_IN_QUOTATION(out) \ #define AI_MD5_PARSE_STRING_IN_QUOTATION(out) \
while ('\"' != *sz) \ out.length = 0; \
while ('\"' != *sz && '\0' != *sz) \
++sz; \ ++sz; \
if ('\0' != *sz) { \
const char *szStart = ++sz; \ const char *szStart = ++sz; \
while ('\"' != *sz) \ while ('\"' != *sz && '\0' != *sz) \
++sz; \ ++sz; \
if ('\0' != *sz) { \
const char *szEnd = (sz++); \ const char *szEnd = (sz++); \
out.length = (ai_uint32)(szEnd - szStart); \ out.length = (ai_uint32)(szEnd - szStart); \
::memcpy(out.data, szStart, out.length); \ ::memcpy(out.data, szStart, out.length); \
} \
} \
out.data[out.length] = '\0'; out.data[out.length] = '\0';
// ------------------------------------------------------------------------------------------------ // ------------------------------------------------------------------------------------------------
// .MD5MESH parsing function // .MD5MESH parsing function