From 80e160935d3c2677344b0968c2690f63083a98dd Mon Sep 17 00:00:00 2001
From: sfan5 <sfan5@live.de>
Date: Mon, 18 Sep 2023 19:27:28 +0200
Subject: [PATCH] COBJMeshFileLoader: fix buffer overruns

---
 source/Irrlicht/COBJMeshFileLoader.cpp | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/source/Irrlicht/COBJMeshFileLoader.cpp b/source/Irrlicht/COBJMeshFileLoader.cpp
index 55565e1b..a104ae92 100644
--- a/source/Irrlicht/COBJMeshFileLoader.cpp
+++ b/source/Irrlicht/COBJMeshFileLoader.cpp
@@ -72,8 +72,8 @@ IAnimatedMesh* COBJMeshFileLoader::createMesh(io::IReadFile* file)
 
 	const io::path fullName = file->getFileName();
 
-	c8* buf = new c8[filesize];
-	memset(buf, 0, filesize);
+	c8* buf = new c8[filesize+1]; // plus null-terminator
+	memset(buf, 0, filesize+1);
 	file->read((void*)buf, filesize);
 	const c8* const bufEnd = buf+filesize;
 
@@ -100,7 +100,7 @@ IAnimatedMesh* COBJMeshFileLoader::createMesh(io::IReadFile* file)
 				c8 name[WORD_BUFFER_LENGTH];
 				bufPtr = goAndCopyNextWord(name, bufPtr, WORD_BUFFER_LENGTH, bufEnd);
 #ifdef _IRR_DEBUG_OBJ_LOADER_
-				os::Printer::log("Reading material file",name);
+				os::Printer::log("Ignoring material file",name);
 #endif
 			}
 		}
@@ -226,6 +226,7 @@ IAnimatedMesh* COBJMeshFileLoader::createMesh(io::IReadFile* file)
 				{
 					os::Printer::log("Invalid vertex index in this line", wordBuffer.c_str(), ELL_ERROR);
 					delete [] buf;
+					cleanUp();
 					return 0;
 				}
 				if ( -1 != Idx[1] && Idx[1] < (irr::s32)textureCoordBuffer.size() )
@@ -259,6 +260,14 @@ IAnimatedMesh* COBJMeshFileLoader::createMesh(io::IReadFile* file)
 				linePtr = goNextWord(linePtr, endPtr);
 			}
 
+			if (faceCorners.size() < 3)
+			{
+				os::Printer::log("Too few vertices in this line", wordBuffer.c_str(), ELL_ERROR);
+				delete [] buf;
+				cleanUp();
+				return 0;
+			}
+
 			// triangulate the face
 			const int c = faceCorners[0];
 			for ( u32 i = 1; i < faceCorners.size() - 1; ++i )