From 11a5d1b8ef2018d0eb765ef1ddae95a13a8b59b6 Mon Sep 17 00:00:00 2001
From: uwezkhan <114483941+uwezkhan@users.noreply.github.com>
Date: Wed, 29 Apr 2026 16:54:29 +0530
Subject: [PATCH] Fix out-of-bounds read in StreamReader::IncPtr (#6600)

Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
 include/assimp/StreamReader.h | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/include/assimp/StreamReader.h b/include/assimp/StreamReader.h
index 363636496..a00ea7b5e 100644
--- a/include/assimp/StreamReader.h
+++ b/include/assimp/StreamReader.h
@@ -196,10 +196,23 @@ public:
     // ---------------------------------------------------------------------
     /** Increase the file pointer (relative seeking)  */
     void IncPtr(intptr_t plus) {
-        mCurrent += plus;
-        if (mCurrent > mLimit) {
-            throw DeadlyImportError("End of file or read limit was reached");
+        // Ensure internal pointer invariants hold
+        if (mCurrent < mBuffer || mCurrent > mLimit) {
+            throw DeadlyImportError("StreamReader: Invalid internal pointer state");
         }
+
+        if (plus < 0) {
+            const size_t absPlus = static_cast<size_t>(-(plus + 1)) + 1;
+            if (absPlus > static_cast<size_t>(mCurrent - mBuffer)) {
+                throw DeadlyImportError("StreamReader: Attempted to seek outside buffer bounds");
+            }
+        } else if (plus > 0) {
+            if (static_cast<size_t>(plus) > static_cast<size_t>(mLimit - mCurrent)) {
+                throw DeadlyImportError("StreamReader: Attempted to seek outside buffer bounds");
+            }
+        }
+
+        mCurrent += plus;
     }
 
     // ---------------------------------------------------------------------