pool/assimp
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity
Files
factory
assimp/CVE-2025-5200.patch
Christophe Marin 4641b8e6ad 6.0.4 update 
OBS-URL: https://build.opensuse.org/package/show/games/assimp?expand=0&rev=84
2026-02-09 13:03:38 +00:00

54 lines
2.4 KiB
Diff
Raw Permalink Blame History

From 18798f150d5baaccedca6a2d7ea343a252c948ee Mon Sep 17 00:00:00 2001
From: peng <mapengyuan@xfusion.com>
Date: Fri, 30 Jan 2026 04:10:18 +0800
Subject: [PATCH] MDL: Fix heap buffer overflow in MDLImporter frame parsing
(#6456)
Add buffer boundary checks before reading frame data to prevent out-of-bounds reads on malformed MDL files.
Fixes #6172 (CVE-2025-5200)
Signed-off-by: mapengyuan <mapengyuan@xfusion.com>
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
code/AssetLib/MDL/MDLLoader.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/code/AssetLib/MDL/MDLLoader.cpp b/code/AssetLib/MDL/MDLLoader.cpp
index 9a0ae81d3..3a3dec955 100644
--- a/code/AssetLib/MDL/MDLLoader.cpp
+++ b/code/AssetLib/MDL/MDLLoader.cpp
@@ -450,12 +450,14 @@ void MDLImporter::InternReadFile_Quake1() {
BE_NCONST MDL::Frame *pcFrames = (BE_NCONST MDL::Frame *)szCurrent;
MDL::SimpleFrame *pcFirstFrame;
+ VALIDATE_FILE_SIZE((const unsigned char *)(pcFrames + 1));
if (0 == pcFrames->type) {
// get address of single frame
pcFirstFrame = (MDL::SimpleFrame *)&pcFrames->frame;
} else {
// get the first frame in the group
BE_NCONST MDL::GroupFrame *pcFrames2 = (BE_NCONST MDL::GroupFrame *)szCurrent;
+ VALIDATE_FILE_SIZE((const unsigned char *)(pcFrames2 + 1));
pcFirstFrame = (MDL::SimpleFrame *)( szCurrent + sizeof(MDL::GroupFrame::type) + sizeof(MDL::GroupFrame::numframes)
+ sizeof(MDL::GroupFrame::min) + sizeof(MDL::GroupFrame::max) + sizeof(*MDL::GroupFrame::times) * pcFrames2->numframes );
}
@@ -703,6 +705,7 @@ void MDLImporter::InternReadFile_3DGS_MDL345() {
// now get a pointer to the first frame in the file
BE_NCONST MDL::Frame *pcFrames = (BE_NCONST MDL::Frame *)szCurrent;
+ VALIDATE_FILE_SIZE((const unsigned char *)(pcFrames + 1));
AI_SWAP4(pcFrames->type);
// byte packed vertices
@@ -1173,6 +1176,7 @@ bool MDLImporter::ProcessFrames_3DGS_MDL7(const MDL::IntGroupInfo_MDL7 &groupInf
for (unsigned int iFrame = 0; iFrame < (unsigned int)groupInfo.pcGroup->numframes; ++iFrame) {
MDL::IntFrameInfo_MDL7 frame((BE_NCONST MDL::Frame_MDL7 *)szCurrent, iFrame);
+ VALIDATE_FILE_SIZE((const unsigned char *)(frame.pcFrame + 1));
AI_SWAP4(frame.pcFrame->vertices_count);
AI_SWAP4(frame.pcFrame->transmatrix_count);
--
2.52.0
Reference in New Issue View Git Blame Copy Permalink