From ae6633ef8a8b686a7a080e9ad65fc77fd712e4b4 Mon Sep 17 00:00:00 2001 From: peng Date: Thu, 29 Jan 2026 04:33:55 +0800 Subject: [PATCH] Fix AC3DImporter heap-buffer-overflow by validating mesh vertex bounds (#6458) Add validations check in AC3DImporter::ConvertObjectSection to ensure that writing TriangleStrip vertex data does not exceed mesh->mNumVertices allocation. Fixes #6015 (CVE-2025-2754) Fixes #6018 (CVE-2025-2756) Signed-off-by: mapengyuan --- code/AssetLib/AC/ACLoader.cpp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/code/AssetLib/AC/ACLoader.cpp b/code/AssetLib/AC/ACLoader.cpp index 006c00cac..df86ce92c 100644 --- a/code/AssetLib/AC/ACLoader.cpp +++ b/code/AssetLib/AC/ACLoader.cpp @@ -607,6 +607,10 @@ aiNode *AC3DImporter::ConvertObjectSection(Object &object, const Surface::SurfaceEntry &entry1 = src.entries[i]; const Surface::SurfaceEntry &entry2 = src.entries[i + 1]; const Surface::SurfaceEntry &entry3 = src.entries[i + 2]; + const unsigned int verticesNeeded = isDoubleSided ? 6 : 3; + if (static_cast(vertices - mesh->mVertices) + verticesNeeded > mesh->mNumVertices) { + throw DeadlyImportError("AC3D: Invalid number of vertices"); + } aiFace &face = *faces++; face.mNumIndices = 3; @@ -661,6 +665,10 @@ aiNode *AC3DImporter::ConvertObjectSection(Object &object, unsigned int tmp = (unsigned int)(*it).entries.size(); if (Surface::OpenLine == type) --tmp; for (unsigned int m = 0; m < tmp; ++m) { + if (static_cast(vertices - mesh->mVertices) + 2 > mesh->mNumVertices) { + throw DeadlyImportError("AC3D: Invalid number of vertices"); + } + aiFace &face = *faces++; face.mNumIndices = 2; -- 2.52.0