From d1e6bcff6b01c5da9856a2b6ed52ae9a06dfe8da Mon Sep 17 00:00:00 2001 From: peng Date: Thu, 15 Jan 2026 20:23:54 +0800 Subject: [PATCH] MDC: Fix MDCImporter surface header bounds and endianness checks (#6440) - Validate ulOffsetEnd in MDCImporter::ValidateSurfaceHeader to prevent pcSurface2 from moving past the MDC buffer(fixes #6167, CVE-2025-5165). - Apply AI_SWAP4 to ulOffsetShaders before using it in bounds checks. Signed-off-by: mapengyuan Co-authored-by: Kim Kulling --- code/AssetLib/MDC/MDCLoader.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code/AssetLib/MDC/MDCLoader.cpp b/code/AssetLib/MDC/MDCLoader.cpp index 20e6b4272..6da95ccb9 100644 --- a/code/AssetLib/MDC/MDCLoader.cpp +++ b/code/AssetLib/MDC/MDCLoader.cpp @@ -160,6 +160,7 @@ void MDCImporter::ValidateSurfaceHeader(BE_NCONST MDC::Surface *pcSurf) { AI_SWAP4(pcSurf->ulOffsetTexCoords); AI_SWAP4(pcSurf->ulOffsetBaseVerts); AI_SWAP4(pcSurf->ulOffsetCompVerts); + AI_SWAP4(pcSurf->ulOffsetShaders); AI_SWAP4(pcSurf->ulOffsetFrameBaseFrames); AI_SWAP4(pcSurf->ulOffsetFrameCompFrames); AI_SWAP4(pcSurf->ulOffsetEnd); @@ -172,7 +173,8 @@ void MDCImporter::ValidateSurfaceHeader(BE_NCONST MDC::Surface *pcSurf) { pcSurf->ulOffsetTexCoords + pcSurf->ulNumVertices * sizeof(MDC::TexturCoord) > iMax || pcSurf->ulOffsetShaders + pcSurf->ulNumShaders * sizeof(MDC::Shader) > iMax || pcSurf->ulOffsetFrameBaseFrames + pcSurf->ulNumBaseFrames * 2 > iMax || - (pcSurf->ulNumCompFrames && pcSurf->ulOffsetFrameCompFrames + pcSurf->ulNumCompFrames * 2 > iMax)) { + (pcSurf->ulNumCompFrames && pcSurf->ulOffsetFrameCompFrames + pcSurf->ulNumCompFrames * 2 > iMax) || + pcSurf->ulOffsetEnd > iMax) { throw DeadlyImportError("Some of the offset values in the MDC surface header " "are invalid and point somewhere behind the file."); }