assimp/CVE-2025-2756.patch

From ae6633ef8a8b686a7a080e9ad65fc77fd712e4b4 Mon Sep 17 00:00:00 2001
From: peng <mapengyuan@xfusion.com>
Date: Thu, 29 Jan 2026 04:33:55 +0800
Subject: [PATCH] Fix AC3DImporter heap-buffer-overflow by validating mesh
 vertex bounds (#6458)

Add validations check in AC3DImporter::ConvertObjectSection to ensure that writing TriangleStrip vertex data does not exceed mesh->mNumVertices allocation.
Fixes #6015 (CVE-2025-2754)
Fixes #6018 (CVE-2025-2756)

Signed-off-by: mapengyuan <mapengyuan@xfusion.com>
---
 code/AssetLib/AC/ACLoader.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/code/AssetLib/AC/ACLoader.cpp b/code/AssetLib/AC/ACLoader.cpp
index 006c00cac..df86ce92c 100644
--- a/code/AssetLib/AC/ACLoader.cpp
+++ b/code/AssetLib/AC/ACLoader.cpp
@@ -607,6 +607,10 @@ aiNode *AC3DImporter::ConvertObjectSection(Object &object,
                                 const Surface::SurfaceEntry &entry1 = src.entries[i];
                                 const Surface::SurfaceEntry &entry2 = src.entries[i + 1];
                                 const Surface::SurfaceEntry &entry3 = src.entries[i + 2];
+                                const unsigned int verticesNeeded = isDoubleSided ? 6 : 3;
+                                if (static_cast<unsigned>(vertices - mesh->mVertices) + verticesNeeded > mesh->mNumVertices) {
+                                    throw DeadlyImportError("AC3D: Invalid number of vertices");
+                                }
 
                                 aiFace &face = *faces++;
                                 face.mNumIndices = 3;
@@ -661,6 +665,10 @@ aiNode *AC3DImporter::ConvertObjectSection(Object &object,
                             unsigned int tmp = (unsigned int)(*it).entries.size();
                             if (Surface::OpenLine == type) --tmp;
                             for (unsigned int m = 0; m < tmp; ++m) {
+                                if (static_cast<unsigned>(vertices - mesh->mVertices) + 2 > mesh->mNumVertices) {
+                                    throw DeadlyImportError("AC3D: Invalid number of vertices");
+                                }
+
                                 aiFace &face = *faces++;
 
                                 face.mNumIndices = 2;
-- 
2.52.0