Fix out-of-bounds read in StreamReader::IncPtr (#6600)

Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
2026-04-29 16:54:29 +05:30
parent 9e56e52252
commit 11a5d1b8ef
1 changed files with 16 additions and 3 deletions
--- a/include/assimp/StreamReader.h
+++ b/include/assimp/StreamReader.h
@@ -196,10 +196,23 @@ public:
    // ---------------------------------------------------------------------
    /** Increase the file pointer (relative seeking)  */
    void IncPtr(intptr_t plus) {
-        mCurrent += plus;
-        if (mCurrent > mLimit) {
-            throw DeadlyImportError("End of file or read limit was reached");
+        // Ensure internal pointer invariants hold
+        if (mCurrent < mBuffer || mCurrent > mLimit) {
+            throw DeadlyImportError("StreamReader: Invalid internal pointer state");
        }
+
+        if (plus < 0) {
+            const size_t absPlus = static_cast<size_t>(-(plus + 1)) + 1;
+            if (absPlus > static_cast<size_t>(mCurrent - mBuffer)) {
+                throw DeadlyImportError("StreamReader: Attempted to seek outside buffer bounds");
+            }
+        } else if (plus > 0) {
+            if (static_cast<size_t>(plus) > static_cast<size_t>(mLimit - mCurrent)) {
+                throw DeadlyImportError("StreamReader: Attempted to seek outside buffer bounds");
+            }
+        }
+
+        mCurrent += plus;
    }

    // ---------------------------------------------------------------------