Scarfski/assimp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix heap-buffer-overflow in OpenGEXImporter::handleIndexArrayNode() (#6470)

Browse Source 
The mColors[0] array was allocated with m_numColors elements but
indexed up to mNumVertices (= numFaces * 3), causing an out-of-bounds
write when the color count is less than the vertex count.

Allocate mColors[0] with mNumVertices (matching mNormals and
mTextureCoords), and add a bounds check on idx before reading
from the source color array.

Fixes #6468

Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
This commit is contained in:
ZhangJY
2026-02-11 06:19:12 +08:00
committed by GitHub
parent e38451ff6c
commit b4c7912d21
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
code/AssetLib/OpenGEX/OpenGEXImporter.cpp
View File

@@ -892,7 +892,7 @@ void OpenGEXImporter::handleIndexArrayNode(ODDLParser::DDLNode *node, aiScene *
m_currentMesh->mVertices = new aiVector3D[m_currentMesh->mNumVertices];
bool hasColors(false);
if (m_currentVertices.m_numColors > 0) {
m_currentMesh->mColors[0] = new aiColor4D[m_currentVertices.m_numColors];
m_currentMesh->mColors[0] = new aiColor4D[m_currentMesh->mNumVertices];
hasColors = true;
}
bool hasNormalCoords(false);
@@ -924,7 +924,7 @@ void OpenGEXImporter::handleIndexArrayNode(ODDLParser::DDLNode *node, aiScene *
ai_assert(index < m_currentMesh->mNumVertices);
aiVector3D &pos = (m_currentVertices.m_vertices[idx]);
m_currentMesh->mVertices[index].Set(pos.x, pos.y, pos.z);
if (hasColors) {
if (hasColors && static_cast<size_t>(idx) < m_currentVertices.m_numColors) {
aiColor4D &col = m_currentVertices.m_colors[idx];
m_currentMesh->mColors[0][index] = col;
}