|
@@ -1147,7 +1147,7 @@ cgltf_result cgltf_parse(const cgltf_options* options, const void* data, cgltf_s
|
|
|
// JSON chunk: length
|
|
// JSON chunk: length
|
|
|
uint32_t json_length;
|
|
uint32_t json_length;
|
|
|
memcpy(&json_length, json_chunk, 4);
|
|
memcpy(&json_length, json_chunk, 4);
|
|
|
- if (GlbHeaderSize + GlbChunkHeaderSize + json_length > size)
|
|
|
|
|
|
|
+ if (json_length > size - GlbHeaderSize - GlbChunkHeaderSize)
|
|
|
{
|
|
{
|
|
|
return cgltf_result_data_too_short;
|
|
return cgltf_result_data_too_short;
|
|
|
}
|
|
}
|
|
@@ -1164,7 +1164,7 @@ cgltf_result cgltf_parse(const cgltf_options* options, const void* data, cgltf_s
|
|
|
const void* bin = NULL;
|
|
const void* bin = NULL;
|
|
|
cgltf_size bin_size = 0;
|
|
cgltf_size bin_size = 0;
|
|
|
|
|
|
|
|
- if (GlbHeaderSize + GlbChunkHeaderSize + json_length + GlbChunkHeaderSize <= size)
|
|
|
|
|
|
|
+ if (GlbChunkHeaderSize <= size - GlbHeaderSize - GlbChunkHeaderSize - json_length)
|
|
|
{
|
|
{
|
|
|
// We can read another chunk
|
|
// We can read another chunk
|
|
|
const uint8_t* bin_chunk = json_chunk + json_length;
|
|
const uint8_t* bin_chunk = json_chunk + json_length;
|
|
@@ -1172,7 +1172,7 @@ cgltf_result cgltf_parse(const cgltf_options* options, const void* data, cgltf_s
|
|
|
// Bin chunk: length
|
|
// Bin chunk: length
|
|
|
uint32_t bin_length;
|
|
uint32_t bin_length;
|
|
|
memcpy(&bin_length, bin_chunk, 4);
|
|
memcpy(&bin_length, bin_chunk, 4);
|
|
|
- if (GlbHeaderSize + GlbChunkHeaderSize + json_length + GlbChunkHeaderSize + bin_length > size)
|
|
|
|
|
|
|
+ if (bin_length > size - GlbHeaderSize - GlbChunkHeaderSize - json_length - GlbChunkHeaderSize)
|
|
|
{
|
|
{
|
|
|
return cgltf_result_data_too_short;
|
|
return cgltf_result_data_too_short;
|
|
|
}
|
|
}
|
Бранимир Караџић