|
|
@@ -724,6 +724,7 @@ void MD3Importer::InternReadFile(const std::string &pFile, aiScene *pScene, IOSy
|
|
|
std::vector<unsigned char> mBuffer2(fileSize);
|
|
|
file->Read(&mBuffer2[0], 1, fileSize);
|
|
|
mBuffer = &mBuffer2[0];
|
|
|
+ const unsigned char* bufferEnd = mBuffer + fileSize;
|
|
|
|
|
|
pcHeader = (BE_NCONST MD3::Header *)mBuffer;
|
|
|
|
|
|
@@ -749,9 +750,15 @@ void MD3Importer::InternReadFile(const std::string &pFile, aiScene *pScene, IOSy
|
|
|
|
|
|
// Navigate to the list of surfaces
|
|
|
BE_NCONST MD3::Surface *pcSurfaces = (BE_NCONST MD3::Surface *)(mBuffer + pcHeader->OFS_SURFACES);
|
|
|
+ if ((const unsigned char*)pcSurfaces + sizeof(MD3::Surface) * pcHeader->NUM_SURFACES > bufferEnd) {
|
|
|
+ throw DeadlyImportError("MD3 surface headers are outside the file");
|
|
|
+ }
|
|
|
|
|
|
// Navigate to the list of tags
|
|
|
BE_NCONST MD3::Tag *pcTags = (BE_NCONST MD3::Tag *)(mBuffer + pcHeader->OFS_TAGS);
|
|
|
+ if ((const unsigned char*)pcTags + sizeof(MD3::Tag) * pcHeader->NUM_TAGS > bufferEnd) {
|
|
|
+ throw DeadlyImportError("MD3 tags are outside the file");
|
|
|
+ }
|
|
|
|
|
|
// Allocate output storage
|
|
|
pScene->mNumMeshes = pcHeader->NUM_SURFACES;
|
|
|
@@ -1026,6 +1033,10 @@ void MD3Importer::InternReadFile(const std::string &pFile, aiScene *pScene, IOSy
|
|
|
|
|
|
for (unsigned int i = 0; i < pcHeader->NUM_TAGS; ++i, ++pcTags) {
|
|
|
aiNode *nd = pScene->mRootNode->mChildren[i] = new aiNode();
|
|
|
+ if ((const unsigned char*)pcTags + sizeof(MD3::Tag) > bufferEnd) {
|
|
|
+ throw DeadlyImportError("MD3 tag is outside the file");
|
|
|
+ }
|
|
|
+
|
|
|
nd->mName.Set((const char *)pcTags->NAME);
|
|
|
nd->mParent = pScene->mRootNode;
|
|
|
|
dataisland