From 9e27a6d4bfacd6b14d73abbfca455d81c881c999 Mon Sep 17 00:00:00 2001 From: cutealien Date: Sat, 8 Jan 2022 17:30:06 +0000 Subject: [PATCH] Avoid allocating more than 16k on stack in OCT loader. Also avoid potential heap overwrites in there. Sadly I have no examples for OCT files and it doesn't seem like a very common format as I couldn't even find any examples online. So just assuming my changes work. git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6291 dfc29bdd-3216-0410-991c-e03cc46cb475 --- changes.txt | 1 + source/Irrlicht/COCTLoader.cpp | 29 ++++++++++++++++++++--------- source/Irrlicht/COCTLoader.h | 2 -- 3 files changed, 21 insertions(+), 11 deletions(-) diff --git a/changes.txt b/changes.txt index 1c8bc039..24a01f33 100644 --- a/changes.txt +++ b/changes.txt @@ -1,5 +1,6 @@ -------------------------- Changes in 1.9 (not yet released) +- Avoid allocating more than 16k on stack in OCT loader. Also avoid potential heap overwrites in there. - obj file loader now allows using mtl files with spaces in the filename. Note that this means it no longer handles obj files which have multiple mtl files behind the mtllib command. But Irrlicht ignored all but the first name anyway and this way of handling mtllib commands seems to be more common. diff --git a/source/Irrlicht/COCTLoader.cpp b/source/Irrlicht/COCTLoader.cpp index fb7025f7..c09120e4 100644 --- a/source/Irrlicht/COCTLoader.cpp +++ b/source/Irrlicht/COCTLoader.cpp @@ -102,18 +102,29 @@ IAnimatedMesh* COCTLoader::createMesh(io::IReadFile* file) file->read(verts, sizeof(octVert) * header.numVerts); file->read(faces, sizeof(octFace) * header.numFaces); - //TODO: Make sure id is in the legal range for Textures and Lightmaps u32 i; - for (i = 0; i < header.numTextures; i++) { - octTexture t; - file->read(&t, sizeof(octTexture)); - textures[t.id] = t; + for (i = 0; i < header.numTextures; i++) + { + u32 id; + file->read(&id, sizeof(id)); + if ( id >= header.numTextures ) + { + os::Printer::log("COCTLoader: Invalid texture id", irr::ELL_WARNING); + id = i; + } + file->read(&textures[id], sizeof(octTexture)); } - for (i = 0; i < header.numLightmaps; i++) { - octLightmap t; - file->read(&t, sizeof(octLightmap)); - lightmaps[t.id] = t; + for (i = 0; i < header.numLightmaps; i++) + { + u32 id; + file->read(&id, sizeof(id)); + if ( id >= header.numLightmaps ) + { + os::Printer::log("COCTLoader: Invalid lightmap id", irr::ELL_WARNING); + id = i; + } + file->read(&lightmaps[id], sizeof(octLightmap)); } file->read(lights, sizeof(octLight) * header.numLights); diff --git a/source/Irrlicht/COCTLoader.h b/source/Irrlicht/COCTLoader.h index 75c6ff1d..98acdcbf 100644 --- a/source/Irrlicht/COCTLoader.h +++ b/source/Irrlicht/COCTLoader.h @@ -115,12 +115,10 @@ namespace scene }; struct octTexture { - u32 id; char fileName[64]; }; struct octLightmap { - u32 id; u8 data[128][128][3]; };