Scarfski/assimp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MD3: Fix MD3Importer surface header bounds checks to prevent heap overflow (#6441)

Browse Source 
Improve bounds checks in MD3Importer::ValidateSurfaceHeaderOffsets to prevent pcSurf from accessing data outside the MD3 buffer (fixes #6070, CVE-2025-3549).

Signed-off-by: mapengyuan <mapengyuan@xfusion.com>
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
This commit is contained in:
peng
2026-01-20 07:29:27 +08:00
committed by GitHub
parent 129c1333e6
commit cf7b652190
1 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
code/AssetLib/MD3/MD3Loader.cpp
View File

@@ -390,13 +390,21 @@ void MD3Importer::ValidateHeaderOffsets() {
void MD3Importer::ValidateSurfaceHeaderOffsets(const MD3::Surface *pcSurf) {
// Calculate the relative offset of the surface
const int32_t ofs = int32_t((const unsigned char *)pcSurf - this->mBuffer);
if (ofs + sizeof(MD3::Surface) > fileSize) {
throw DeadlyImportError("Surface header is outside file bounds");
}
auto inRange = [this, ofs](uint32_t rel_offset, uint32_t count, size_t elem_size) -> bool {
size_t abs_offset = ofs + rel_offset;
if (count > 0 && elem_size > 0 && count > SIZE_MAX / elem_size) return false;
size_t total = abs_offset + size_t(count) * elem_size;
return abs_offset <= fileSize && total <= fileSize;
};
// Check whether all data chunks are inside the valid range
if (pcSurf->OFS_TRIANGLES + ofs + pcSurf->NUM_TRIANGLES * sizeof(MD3::Triangle) > fileSize ||
pcSurf->OFS_SHADERS + ofs + pcSurf->NUM_SHADER * sizeof(MD3::Shader) > fileSize ||
pcSurf->OFS_ST + ofs + pcSurf->NUM_VERTICES * sizeof(MD3::TexCoord) > fileSize ||
pcSurf->OFS_XYZNORMAL + ofs + pcSurf->NUM_VERTICES * sizeof(MD3::Vertex) > fileSize) {
if (!inRange(pcSurf->OFS_TRIANGLES, pcSurf->NUM_TRIANGLES, sizeof(MD3::Triangle)) ||
!inRange(pcSurf->OFS_SHADERS, pcSurf->NUM_SHADER, sizeof(MD3::Shader)) ||
!inRange(pcSurf->OFS_ST, pcSurf->NUM_VERTICES, sizeof(MD3::TexCoord)) ||
!inRange(pcSurf->OFS_XYZNORMAL, pcSurf->NUM_VERTICES, sizeof(MD3::Vertex))) {
throw DeadlyImportError("Invalid MD3 surface header: some offsets are outside the file");
}