From a4274930e496f8cc905329b49dfe29ff424cb175 Mon Sep 17 00:00:00 2001 From: sashashura <93376818+sashashura@users.noreply.github.com> Date: Sat, 16 Jul 2022 13:46:50 +0100 Subject: [PATCH 1/4] Fixes Heap-use-after-free in Assimp::DXFImporter::ExpandBlockReferences --- code/AssetLib/DXF/DXFLoader.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code/AssetLib/DXF/DXFLoader.cpp b/code/AssetLib/DXF/DXFLoader.cpp index 6b2dbbe82..2f1ec35b4 100644 --- a/code/AssetLib/DXF/DXFLoader.cpp +++ b/code/AssetLib/DXF/DXFLoader.cpp @@ -368,7 +368,9 @@ void DXFImporter::ExpandBlockReferences(DXF::Block& bl,const DXF::BlockMap& bloc // XXX this would be the place to implement recursive expansion if needed. const DXF::Block& bl_src = *(*it).second; - for (std::shared_ptr pl_in : bl_src.lines) { + const size_t size = bl_src.lines.size(); // the size may increase in the loop + for (size_t i = 0; i < size; ++i) { + std::shared_ptr pl_in = bl_src.lines[i]; if (!pl_in) { ASSIMP_LOG_ERROR("DXF: PolyLine instance is nullptr, skipping."); continue; From 94c0e9d89087805da3d7bef979d4e70cbcb00b18 Mon Sep 17 00:00:00 2001 From: sashashura <93376818+sashashura@users.noreply.github.com> Date: Sat, 16 Jul 2022 13:48:39 +0100 Subject: [PATCH 2/4] Fixes Heap-buffer-overflow in std::__1::basic_string, std::__1::allocator Date: Sat, 16 Jul 2022 13:50:54 +0100 Subject: [PATCH 3/4] Fixes Heap-buffer-overflow in Assimp::ObjFileParser::getFace --- code/AssetLib/Obj/ObjFileParser.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code/AssetLib/Obj/ObjFileParser.cpp b/code/AssetLib/Obj/ObjFileParser.cpp index 4e50d5dae..4dc08edbc 100644 --- a/code/AssetLib/Obj/ObjFileParser.cpp +++ b/code/AssetLib/Obj/ObjFileParser.cpp @@ -458,7 +458,8 @@ void ObjFileParser::getFace(aiPrimitiveType type) { iPos = 0; } else { //OBJ USES 1 Base ARRAYS!!!! - const int iVal(::atoi(&(*m_DataIt))); + std::string number(&(*m_DataIt), m_DataItEnd - m_DataIt); + const int iVal(::atoi(number.c_str())); // increment iStep position based off of the sign and # of digits int tmp = iVal; From 9ddc3a64d7b8f95c7aafd7f6ad2fb97d459c7f0b Mon Sep 17 00:00:00 2001 From: sashashura <93376818+sashashura@users.noreply.github.com> Date: Sat, 16 Jul 2022 13:55:08 +0100 Subject: [PATCH 4/4] Fixes Crash in Assimp::ObjFileMtlImporter::getFloatValue --- code/AssetLib/Obj/ObjFileMtlImporter.cpp | 48 ++++++++++++++++-------- 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/code/AssetLib/Obj/ObjFileMtlImporter.cpp b/code/AssetLib/Obj/ObjFileMtlImporter.cpp index a73277701..f8ab1b69e 100644 --- a/code/AssetLib/Obj/ObjFileMtlImporter.cpp +++ b/code/AssetLib/Obj/ObjFileMtlImporter.cpp @@ -126,17 +126,21 @@ void ObjFileMtlImporter::load() { if (*m_DataIt == 'a') // Ambient color { ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->ambient); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->ambient); } else if (*m_DataIt == 'd') { // Diffuse color ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->diffuse); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->diffuse); } else if (*m_DataIt == 's') { ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->specular); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->specular); } else if (*m_DataIt == 'e') { ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->emissive); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->emissive); } m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } break; @@ -145,13 +149,15 @@ void ObjFileMtlImporter::load() { // Material transmission color if (*m_DataIt == 'f') { ++m_DataIt; - getColorRGBA(&m_pModel->m_pCurrentMaterial->transparent); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(&m_pModel->m_pCurrentMaterial->transparent); } else if (*m_DataIt == 'r') { // Material transmission alpha value ++m_DataIt; ai_real d; getFloatValue(d); - m_pModel->m_pCurrentMaterial->alpha = static_cast(1.0) - d; + if (m_pModel->m_pCurrentMaterial != nullptr) + m_pModel->m_pCurrentMaterial->alpha = static_cast(1.0) - d; } m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } break; @@ -162,7 +168,8 @@ void ObjFileMtlImporter::load() { } else { // Alpha value ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->alpha); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->alpha); m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } } break; @@ -173,11 +180,13 @@ void ObjFileMtlImporter::load() { switch (*m_DataIt) { case 's': // Specular exponent ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->shineness); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->shineness); break; case 'i': // Index Of refraction ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->ior); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->ior); break; case 'e': // New material createMaterial(); @@ -197,23 +206,28 @@ void ObjFileMtlImporter::load() { { case 'r': ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->roughness); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->roughness); break; case 'm': ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->metallic); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->metallic); break; case 's': ++m_DataIt; - getColorRGBA(m_pModel->m_pCurrentMaterial->sheen); + if (m_pModel->m_pCurrentMaterial != nullptr) + getColorRGBA(m_pModel->m_pCurrentMaterial->sheen); break; case 'c': ++m_DataIt; if (*m_DataIt == 'r') { ++m_DataIt; - getFloatValue(m_pModel->m_pCurrentMaterial->clearcoat_roughness); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->clearcoat_roughness); } else { - getFloatValue(m_pModel->m_pCurrentMaterial->clearcoat_thickness); + if (m_pModel->m_pCurrentMaterial != nullptr) + getFloatValue(m_pModel->m_pCurrentMaterial->clearcoat_thickness); } break; } @@ -232,7 +246,8 @@ void ObjFileMtlImporter::load() { case 'i': // Illumination model { m_DataIt = getNextToken(m_DataIt, m_DataItEnd); - getIlluminationModel(m_pModel->m_pCurrentMaterial->illumination_model); + if (m_pModel->m_pCurrentMaterial != nullptr) + getIlluminationModel(m_pModel->m_pCurrentMaterial->illumination_model); m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } break; @@ -240,7 +255,8 @@ void ObjFileMtlImporter::load() { { ++m_DataIt; getFloatValue(m_pModel->m_pCurrentMaterial->anisotropy); - m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); + if (m_pModel->m_pCurrentMaterial != nullptr) + m_DataIt = skipLine(m_DataIt, m_DataItEnd, m_uiLine); } break; default: {