From 9d3c0081ebe199ec793a96f8e4c334cdd0e95a84 Mon Sep 17 00:00:00 2001 From: Max Vollmer Date: Mon, 14 Dec 2020 16:49:04 +0000 Subject: [PATCH] Throw if property length is out of bounds --- code/AssetLib/FBX/FBXBinaryTokenizer.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code/AssetLib/FBX/FBXBinaryTokenizer.cpp b/code/AssetLib/FBX/FBXBinaryTokenizer.cpp index 419750e2c..fae96a66a 100644 --- a/code/AssetLib/FBX/FBXBinaryTokenizer.cpp +++ b/code/AssetLib/FBX/FBXBinaryTokenizer.cpp @@ -375,6 +375,11 @@ bool ReadScope(TokenList& output_tokens, const char* input, const char*& cursor, // now come the individual properties const char* begin_cursor = cursor; + + if ((begin_cursor + prop_length) > end) { + TokenizeError("property length out of bounds reading length ", input, cursor); + } + for (unsigned int i = 0; i < prop_count; ++i) { ReadData(sbeg, send, input, cursor, begin_cursor + prop_length);