Home Explore Help
Sign In
software
/
assimp.assimp
mirror of https://github.com/assimp/assimp.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

MDL: Fix read past end of buffer on malformed input

Turo Lamminen 9 years ago
parent
6ee5fdf567
commit
e2361bf209
1 changed files with 4 additions and 0 deletions
Unified View Show Diff Stats
  1. 4 0
      code/MDLLoader.cpp

+ 4 - 0
code/MDLLoader.cpp
View File 

@@ -576,9 +576,13 @@ void MDLImporter::InternReadFile_3DGS_MDL345( )
 
 
 
     // current cursor position in the file
 
     // current cursor position in the file
 
     const unsigned char* szCurrent = (const unsigned char*)(pcHeader+1);
 
     const unsigned char* szCurrent = (const unsigned char*)(pcHeader+1);
 
+    const unsigned char* szEnd = mBuffer + iFileSize;
 
 
 
     // need to read all textures
 
     // need to read all textures
 
     for (unsigned int i = 0; i < (unsigned int)pcHeader->num_skins;++i) {
 
     for (unsigned int i = 0; i < (unsigned int)pcHeader->num_skins;++i) {
 
+        if (szCurrent >= szEnd) {
 
+            throw DeadlyImportError( "Texture data past end of file.");
 
+        }
 
         BE_NCONST MDL::Skin* pcSkin;
 
         BE_NCONST MDL::Skin* pcSkin;
 
         pcSkin = (BE_NCONST  MDL::Skin*)szCurrent;
 
         pcSkin = (BE_NCONST  MDL::Skin*)szCurrent;
 
         AI_SWAP4( pcSkin->group);
 
         AI_SWAP4( pcSkin->group);