Fix AC3DImporter heap-buffer-overflow by validating mesh vertex bounds (#6458)

Add validations check in AC3DImporter::ConvertObjectSection to ensure that writing TriangleStrip vertex data does not exceed mesh->mNumVertices allocation. Fixes #6015 (CVE-2025-2754) Fixes #6018 (CVE-2025-2756) Signed-off-by: mapengyuan <mapengyuan@xfusion.com>
2026-01-29 04:33:55 +08:00
parent e0b52347c6
commit ae6633ef8a
1 changed files with 8 additions and 0 deletions
--- a/code/AssetLib/AC/ACLoader.cpp
+++ b/code/AssetLib/AC/ACLoader.cpp
@@ -607,6 +607,10 @@ aiNode *AC3DImporter::ConvertObjectSection(Object &object,
                                const Surface::SurfaceEntry &entry1 = src.entries[i];
                                const Surface::SurfaceEntry &entry2 = src.entries[i + 1];
                                const Surface::SurfaceEntry &entry3 = src.entries[i + 2];
+                                const unsigned int verticesNeeded = isDoubleSided ? 6 : 3;
+                                if (static_cast<unsigned>(vertices - mesh->mVertices) + verticesNeeded > mesh->mNumVertices) {
+                                    throw DeadlyImportError("AC3D: Invalid number of vertices");
+                                }

                                aiFace &face = *faces++;
                                face.mNumIndices = 3;
@@ -661,6 +665,10 @@ aiNode *AC3DImporter::ConvertObjectSection(Object &object,
                            unsigned int tmp = (unsigned int)(*it).entries.size();
                            if (Surface::OpenLine == type) --tmp;
                            for (unsigned int m = 0; m < tmp; ++m) {
+                                if (static_cast<unsigned>(vertices - mesh->mVertices) + 2 > mesh->mNumVertices) {
+                                    throw DeadlyImportError("AC3D: Invalid number of vertices");
+                                }
+
                                aiFace &face = *faces++;

                                face.mNumIndices = 2;