ColladaParser: check values length (#5462)

* ColladaParser: check values length

fixes: #4286

* Refactor calculation of size for data

---------

Co-authored-by: Kim Kulling <[email protected]>

code/AssetLib/Collada/ColladaParser.cpp

@@ -3,7 +3,7 @@
 Open Asset Import Library (assimp)
 ---------------------------------------------------------------------------
 
-Copyright (c) 2006-2022, assimp team
+Copyright (c) 2006-2024, assimp team
 
 All rights reserved.
 
@@ -1786,6 +1786,10 @@ size_t ColladaParser::ReadPrimitives(XmlNode &node, Mesh &pMesh, std::vector<Inp
         const Accessor *acc = input.mResolved;
         if (!acc->mData) {
             acc->mData = &ResolveLibraryReference(mDataLibrary, acc->mSource);
+            const size_t dataSize = acc->mOffset + acc->mCount * acc->mStride;
+            if (dataSize > acc->mData->mValues.size()) {
+                throw DeadlyImportError("Not enough data for accessor");
+            }
         }
     }
     // and the same for the per-index channels
@@ -1810,6 +1814,10 @@ size_t ColladaParser::ReadPrimitives(XmlNode &node, Mesh &pMesh, std::vector<Inp
         const Accessor *acc = input.mResolved;
         if (!acc->mData) {
             acc->mData = &ResolveLibraryReference(mDataLibrary, acc->mSource);
+            const size_t dataSize = acc->mOffset + acc->mCount * acc->mStride;
+            if (dataSize > acc->mData->mValues.size()) {
+                throw DeadlyImportError("Not enough data for accessor");
+            }
         }
     }
 

test/models/invalid/readme.txt

@@ -18,6 +18,9 @@ crash.
 FILES
 *********************************************************
 
+box_nested_animation_4286.dae - This was reported as GH#4286.
+  The "count" parameter in "Cube-mesh-positions-array" is too small.
+
 OutOfMemory.off - the number of faces is invalid. There won't be
   enough memory so std::vector::reserve() will most likely fail.
   The exception should be caught in Importer.cpp.

test/unit/utColladaImportExport.cpp

@@ -357,6 +357,14 @@ TEST_F(utColladaImportExport, exporterUniqueIdsTest) {
     ImportAsNames(outFileNamed, scene);
 }
 
+// This file is invalid, we just want to ensure that the importer is not crashing
+// This was reported as GH#4286. The "count" parameter in "Cube-mesh-positions-array" is too small.
+TEST_F(utColladaImportExport, parseInvalid4286) {
+    Assimp::Importer importer;
+    const aiScene *scene = importer.ReadFile(ASSIMP_TEST_MODELS_DIR "/invalid/box_nested_animation_4286.dae", 0);
+    EXPECT_EQ(nullptr, scene);
+}
+
 #endif
 
 class utColladaZaeImportExport : public AbstractImportExportBase {