From 64688f449099246ec27eb013f58d72a0abb1c6e6 Mon Sep 17 00:00:00 2001 From: sfan5 Date: Mon, 18 Sep 2023 19:41:58 +0200 Subject: [PATCH] CB3DMeshFileLoader: add some bounds checks --- source/Irrlicht/CB3DMeshFileLoader.cpp | 29 +++++++++++++++++++++----- source/Irrlicht/SB3DStructs.h | 2 ++ 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/source/Irrlicht/CB3DMeshFileLoader.cpp b/source/Irrlicht/CB3DMeshFileLoader.cpp index 20dad9d9..124c0f1d 100644 --- a/source/Irrlicht/CB3DMeshFileLoader.cpp +++ b/source/Irrlicht/CB3DMeshFileLoader.cpp @@ -274,7 +274,14 @@ bool CB3DMeshFileLoader::readChunkMESH(CSkinnedMesh::SJoint *inJoint) { scene::SSkinMeshBuffer *meshBuffer = AnimatedMesh->addMeshBuffer(); - if (brushID!=-1) + if (brushID == -1) + { /* ok */ } + else if (brushID < 0 || (u32)brushID >= Materials.size()) + { + os::Printer::log("Illegal brush ID found", B3DFile->getFileName(), ELL_ERROR); + return false; + } + else { meshBuffer->Material=Materials[brushID].Material; } @@ -354,7 +361,8 @@ bool CB3DMeshFileLoader::readChunkVRTS(CSkinnedMesh::SJoint *inJoint) tex_coord_set_size = os::Byteswap::byteswap(tex_coord_set_size); #endif - if (tex_coord_sets >= max_tex_coords || tex_coord_set_size >= 4) // Something is wrong + if (tex_coord_sets < 0 || tex_coord_set_size < 0 || + tex_coord_sets >= max_tex_coords || tex_coord_set_size >= 4) // Something is wrong { os::Printer::log("tex_coord_sets or tex_coord_set_size too big", B3DFile->getFileName(), ELL_ERROR); return false; @@ -458,13 +466,18 @@ bool CB3DMeshFileLoader::readChunkTRIS(scene::SSkinMeshBuffer *meshBuffer, u32 m SB3dMaterial *B3dMaterial; - if (triangle_brush_id != -1) + if (triangle_brush_id == -1) + B3dMaterial = 0; + else if (triangle_brush_id < 0 || (u32)triangle_brush_id >= Materials.size()) + { + os::Printer::log("Illegal material index found", B3DFile->getFileName(), ELL_ERROR); + return false; + } + else { B3dMaterial = &Materials[triangle_brush_id]; meshBuffer->Material = B3dMaterial->Material; } - else - B3dMaterial = 0; const s32 memoryNeeded = B3dStack.getLast().length / sizeof(s32); meshBuffer->Indices.reallocate(memoryNeeded + meshBuffer->Indices.size() + 1); @@ -583,6 +596,12 @@ bool CB3DMeshFileLoader::readChunkBONE(CSkinnedMesh::SJoint *inJoint) #endif globalVertexID += VerticesStart; + if (globalVertexID >= AnimatedVertices_VertexID.size()) + { + os::Printer::log("Illegal vertex index found", B3DFile->getFileName(), ELL_ERROR); + return false; + } + if (AnimatedVertices_VertexID[globalVertexID]==-1) { os::Printer::log("B3dMeshLoader: Weight has bad vertex id (no link to meshbuffer index found)"); diff --git a/source/Irrlicht/SB3DStructs.h b/source/Irrlicht/SB3DStructs.h index 062183a3..7c7c7de9 100644 --- a/source/Irrlicht/SB3DStructs.h +++ b/source/Irrlicht/SB3DStructs.h @@ -10,6 +10,7 @@ #pragma once #include "SMaterial.h" +#include "irrMath.h" namespace irr { namespace scene { @@ -25,6 +26,7 @@ struct SB3dChunk SB3dChunk(const SB3dChunkHeader& header, long sp) : length(header.size+8), startposition(sp) { + length = core::max_(length, 8); name[0]=header.name[0]; name[1]=header.name[1]; name[2]=header.name[2];