Home Explore Help
Sign In
software
/
assimp.assimp
mirror of https://github.com/assimp/assimp.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

MDC: Fix MDCImporter surface header bounds and endianness checks (#6440)

- Validate ulOffsetEnd in MDCImporter::ValidateSurfaceHeader to
  prevent pcSurface2 from moving past the MDC buffer(fixes #6167, CVE-2025-5165).
- Apply AI_SWAP4 to ulOffsetShaders before using it in bounds checks.

Signed-off-by: mapengyuan <[email protected]>
Co-authored-by: Kim Kulling <[email protected]>
peng 22 hours ago
parent
d8a9074cd0
commit
d1e6bcff6b
1 changed files with 3 additions and 1 deletions
Split View Show Diff Stats
  1. 3 1
      code/AssetLib/MDC/MDCLoader.cpp

+ 3 - 1
code/AssetLib/MDC/MDCLoader.cpp
View File 

@@ -160,6 +160,7 @@ void MDCImporter::ValidateSurfaceHeader(BE_NCONST MDC::Surface *pcSurf) {
 
     AI_SWAP4(pcSurf->ulOffsetTexCoords);
 
     AI_SWAP4(pcSurf->ulOffsetBaseVerts);
 
     AI_SWAP4(pcSurf->ulOffsetCompVerts);
 
+    AI_SWAP4(pcSurf->ulOffsetShaders);
 
     AI_SWAP4(pcSurf->ulOffsetFrameBaseFrames);
 
     AI_SWAP4(pcSurf->ulOffsetFrameCompFrames);
 
     AI_SWAP4(pcSurf->ulOffsetEnd);
 
@@ -172,7 +173,8 @@ void MDCImporter::ValidateSurfaceHeader(BE_NCONST MDC::Surface *pcSurf) {
 
             pcSurf->ulOffsetTexCoords + pcSurf->ulNumVertices * sizeof(MDC::TexturCoord) > iMax ||
 
             pcSurf->ulOffsetShaders + pcSurf->ulNumShaders * sizeof(MDC::Shader) > iMax ||
 
             pcSurf->ulOffsetFrameBaseFrames + pcSurf->ulNumBaseFrames * 2 > iMax ||
 
-            (pcSurf->ulNumCompFrames && pcSurf->ulOffsetFrameCompFrames + pcSurf->ulNumCompFrames * 2 > iMax)) {
 
+            (pcSurf->ulNumCompFrames && pcSurf->ulOffsetFrameCompFrames + pcSurf->ulNumCompFrames * 2 > iMax) ||
 
+            pcSurf->ulOffsetEnd > iMax) {
 
         throw DeadlyImportError("Some of the offset values in the MDC surface header "
 
                                 "are invalid and point somewhere behind the file.");
 
     }