glTF2: Fix heap-buffer-overflow in GetVertexColorsForType (#6558)

The `GetVertexColorsForType` function previously used `input->count` (the total number of elements in the accessor) to allocate the output array and bound the conversion loop. However, when a `vertexRemappingTable` is provided, `ExtractData` extracts a subset of elements matching the size of the remapping table rather than the full accessor count. In cases where the remapping table was smaller than the accessor count (including empty tables), the subsequent loop would perform out-of-bounds reads on the `colors` buffer allocated by `ExtractData`. This fix captures the actual number of elements extracted by `ExtractData` and uses this value for the output allocation and loop iteration, ensuring memory safety when vertex remapping is active. Verified with ASan and existing unit tests.
2026-03-11 10:53:34 -04:00
parent e70199446d
commit b2852bc49b
1 changed files with 3 additions and 3 deletions
--- a/code/AssetLib/glTF2/glTF2Importer.cpp
+++ b/code/AssetLib/glTF2/glTF2Importer.cpp
@@ -462,9 +462,9 @@ template <typename T>
 aiColor4D *GetVertexColorsForType(Ref<Accessor> input, std::vector<unsigned int> *vertexRemappingTable) {
    constexpr float max = std::numeric_limits<T>::max();
    aiColor4t<T> *colors;
-    input->ExtractData(colors, vertexRemappingTable);
-    auto output = new aiColor4D[input->count];
-    for (size_t i = 0; i < input->count; i++) {
+    size_t count = input->ExtractData(colors, vertexRemappingTable);
+    auto output = new aiColor4D[count];
+    for (size_t i = 0; i < count; i++) {
        output[i] = aiColor4D(
                colors[i].r / max, colors[i].g / max,
                colors[i].b / max, colors[i].a / max);