Merging r6270 from branch releases/1.8 to trunk

- Prevent buffer overflow in md2 loader git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6271 dfc29bdd-3216-0410-991c-e03cc46cb475
2025-01-12 16:27:33 +01:00 · 2021-12-12 13:55:03 +00:00 · 2021-12-12 13:55:03 +00:00 · 2bed22acbb
commit 2bed22acbb
parent 73d562d745
2 changed files with 9 additions and 1 deletions
--- a/changes.txt
+++ b/changes.txt
@ -334,6 +334,7 @@ Changes in 1.9 (not yet released)

 --------------------------
 Changes in 1.8.6 
+- Security: Fix buffer overflow caused by malformed md2 files. Thanks @procfs for reporting (https://irrlicht.sourceforge.io/forum/viewtopic.php?f=7&t=52785)
 - Makefile now only adds CFLAGS instead of overwriting them.
 - Several spelling fixes (Patch #455). Thanks @J. Puydt

--- a/source/Irrlicht/CMD2MeshFileLoader.cpp
+++ b/source/Irrlicht/CMD2MeshFileLoader.cpp
@ -151,6 +151,13 @@ bool CMD2MeshFileLoader::loadFile(io::IReadFile* file, CAnimatedMeshMD2* mesh)
 		return false;
 	}

+	const int MAX_FRAME_SIZE = MD2_MAX_VERTS*4+128;
+	if ( header.frameSize > MAX_FRAME_SIZE )
+	{
+		os::Printer::log("MD2 Loader: Invalid large frame size in header", file->getFileName(), ELL_WARNING);
+		return false;
+	}
+
 	//
 	// prepare mesh and allocate memory
 	//
@ -232,7 +239,7 @@ bool CMD2MeshFileLoader::loadFile(io::IReadFile* file, CAnimatedMeshMD2* mesh)

 	// read Vertices

-	u8 buffer[MD2_MAX_VERTS*4+128];
+	u8 buffer[MAX_FRAME_SIZE];
 	SMD2Frame* frame = (SMD2Frame*)buffer;

 	file->seek(header.offsetFrames);