Merge pull request #4146 from alpire/master

Fix fuzzer crashes

code/AssetLib/HMP/HMPLoader.cpp

@@ -451,6 +451,7 @@ void HMPImporter::ReadFirstSkin(unsigned int iNumSkins, const unsigned char *szC
 
     // now we need to skip any other skins ...
     for (unsigned int i = 1; i < iNumSkins; ++i) {
+        SizeCheck(szCursor + 3 * sizeof(uint32_t));
         iType = *((uint32_t *)szCursor);
         szCursor += sizeof(uint32_t);
         iWidth = *((uint32_t *)szCursor);

code/AssetLib/M3D/m3d.h

@@ -896,7 +896,7 @@ char *_m3d_safestr(char *in, int morelines) {
         if (!out) return NULL;
         while (*i == ' ' || *i == '\t' || *i == '\r' || (morelines && *i == '\n'))
             i++;
-        for (; *i && (morelines || (*i != '\r' && *i != '\n')); i++) {
+        for (; *i && (morelines || (*i != '\r' && *i != '\n')) && o - out < l; i++) {
             if (*i == '\r') continue;
             if (*i == '\n') {
                 if (morelines >= 3 && o > out && *(o - 1) == '\n') break;

code/AssetLib/MDL/MDLLoader.cpp

@@ -600,7 +600,7 @@ void MDLImporter::InternReadFile_3DGS_MDL345() {
 
     // need to read all textures
     for (unsigned int i = 0; i < (unsigned int)pcHeader->num_skins; ++i) {
-        if (szCurrent >= szEnd) {
+        if (szCurrent + sizeof(uint32_t) > szEnd) {
             throw DeadlyImportError("Texture data past end of file.");
         }
         BE_NCONST MDL::Skin *pcSkin;

code/AssetLib/MDL/MDLMaterialLoader.cpp

@@ -132,6 +132,9 @@ void MDLImporter::CreateTextureARGB8_3DGS_MDL3(const unsigned char *szData) {
     pcNew->mWidth = pcHeader->skinwidth;
     pcNew->mHeight = pcHeader->skinheight;
 
+    if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) {
+        throw DeadlyImportError("Invalid MDL file. A texture is too big.");
+    }
     pcNew->pcData = new aiTexel[pcNew->mWidth * pcNew->mHeight];
 
     const unsigned char *szColorMap;
@@ -217,6 +220,9 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData,
 
     // allocate storage for the texture image
     if (do_read) {
+        if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) {
+            throw DeadlyImportError("Invalid MDL file. A texture is too big.");
+        }
         pcNew->pcData = new aiTexel[pcNew->mWidth * pcNew->mHeight];
     }
 

code/Common/FileSystemFilter.h

@@ -300,13 +300,14 @@ private:
 
         const char separator = getOsSeparator();
         for (it = in.begin(); it != in.end(); ++it) {
+            int remaining = std::distance(in.end(), it);
             // Exclude :// and \\, which remain untouched.
             // https://sourceforge.net/tracker/?func=detail&aid=3031725&group_id=226462&atid=1067632
-            if ( !strncmp(&*it, "://", 3 )) {
+            if (remaining >= 3 && !strncmp(&*it, "://", 3 )) {
                 it += 3;
                 continue;
             }
-            if (it == in.begin() && !strncmp(&*it, "\\\\", 2)) {
+            if (it == in.begin() && remaining >= 2 && !strncmp(&*it, "\\\\", 2)) {
                 it += 2;
                 continue;
             }

code/Common/RemoveComments.cpp

@@ -64,20 +64,28 @@ void CommentRemover::RemoveLineComments(const char* szComment,
     if (len > lenBuffer) {
         len = lenBuffer;
     }
-    while (*szBuffer)   {
+
+    char *szCurrent = szBuffer;
+    while (*szCurrent)   {
 
         // skip over quotes
-        if (*szBuffer == '\"' || *szBuffer == '\'')
-            while (*szBuffer++ && *szBuffer != '\"' && *szBuffer != '\'');
-        if (!strncmp(szBuffer,szComment,len)) {
-            while (!IsLineEnd(*szBuffer))
-                *szBuffer++ = chReplacement;
+        if (*szCurrent == '\"' || *szCurrent == '\'')
+            while (*szCurrent++ && *szCurrent != '\"' && *szCurrent != '\'');
 
-            if (!*szBuffer) {
+        size_t lenRemaining = lenBuffer - (szCurrent - szBuffer);
+        if(lenRemaining < len) {
+            break;
+        }
+
+        if (!strncmp(szCurrent,szComment,len)) {
+            while (!IsLineEnd(*szCurrent))
+                *szCurrent++ = chReplacement;
+
+            if (!*szCurrent) {
                 break;
             }
         }
-        ++szBuffer;
+        ++szCurrent;
     }
 }
 

contrib/openddlparser/code/OpenDDLParser.cpp

@@ -292,12 +292,15 @@ char *OpenDDLParser::parseHeader(char *in, char *end) {
 
         Property *first(nullptr);
         in = lookForNextToken(in, end);
-        if (*in == Grammar::OpenPropertyToken[0]) {
+        if (in != end && *in == Grammar::OpenPropertyToken[0]) {
             in++;
             Property *prop(nullptr), *prev(nullptr);
-            while (*in != Grammar::ClosePropertyToken[0] && in != end) {
+            while (in != end && *in != Grammar::ClosePropertyToken[0]) {
                 in = OpenDDLParser::parseProperty(in, end, &prop);
                 in = lookForNextToken(in, end);
+                if(in == end) {
+                    break;
+                }
 
                 if (*in != Grammar::CommaSeparator[0] && *in != Grammar::ClosePropertyToken[0]) {
                     logInvalidTokenError(in, Grammar::ClosePropertyToken, m_logCallback);
@@ -314,7 +317,9 @@ char *OpenDDLParser::parseHeader(char *in, char *end) {
                     prev = prop;
                 }
             }
-            ++in;
+            if(in != end) {
+                ++in;
+            }
         }
 
         // set the properties
@@ -479,7 +484,7 @@ void OpenDDLParser::normalizeBuffer(std::vector<char> &buffer) {
         // check for a comment
         if (isCommentOpenTag(c, end)) {
             ++readIdx;
-            while (!isCommentCloseTag(&buffer[readIdx], end)) {
+            while (readIdx < len && !isCommentCloseTag(&buffer[readIdx], end)) {
                 ++readIdx;
             }
             ++readIdx;
@@ -489,7 +494,7 @@ void OpenDDLParser::normalizeBuffer(std::vector<char> &buffer) {
             if (isComment<char>(c, end)) {
                 ++readIdx;
                 // skip the comment and the rest of the line
-                while (!isEndofLine(buffer[readIdx])) {
+                while (readIdx < len && !isEndofLine(buffer[readIdx])) {
                     ++readIdx;
                 }
             }
@@ -548,8 +553,7 @@ char *OpenDDLParser::parseIdentifier(char *in, char *end, Text **id) {
     // get size of id
     size_t idLen(0);
     char *start(in);
-    while (!isSeparator(*in) &&
-            !isNewLine(*in) && (in != end) &&
+    while ((in != end) && !isSeparator(*in) && !isNewLine(*in) &&
             *in != Grammar::OpenPropertyToken[0] &&
             *in != Grammar::ClosePropertyToken[0] &&
             *in != '$') {
@@ -861,7 +865,7 @@ char *OpenDDLParser::parseProperty(char *in, char *end, Property **prop) {
     in = parseIdentifier(in, end, &id);
     if (nullptr != id) {
         in = lookForNextToken(in, end);
-        if (*in == '=') {
+        if (in != end && *in == '=') {
             ++in;
             in = getNextToken(in, end);
             Value *primData(nullptr);

contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h

@@ -318,7 +318,8 @@ static const unsigned char chartype_table[256] = {
 
 template <class T>
 inline bool isNumeric(const T in) {
-    return (chartype_table[static_cast<size_t>(in)] == 1);
+    size_t idx = static_cast<size_t>(in);
+    return idx < sizeof(chartype_table) && (chartype_table[idx] == 1);
 }
 
 template <class T>

include/assimp/IOStreamBuffer.h

@@ -261,6 +261,11 @@ AI_FORCE_INLINE bool IOStreamBuffer<T>::getNextDataLine(std::vector<T> &buffer,
         buffer[i] = m_cache[m_cachePos];
         ++m_cachePos;
         ++i;
+
+        if(i == buffer.size()) {
+            buffer.resize(buffer.size() * 2);
+        }
+
         if (m_cachePos >= size()) {
             break;
         }
@@ -308,6 +313,11 @@ AI_FORCE_INLINE bool IOStreamBuffer<T>::getNextLine(std::vector<T> &buffer) {
         buffer[i] = m_cache[m_cachePos];
         ++m_cachePos;
         ++i;
+
+        if(i == buffer.size()) {
+            buffer.resize(buffer.size() * 2);
+        }
+
         if (m_cachePos >= m_cacheSize) {
             if (!readNextBlock()) {
                 return false;