Overview

File 0001-NDO-Fix-possible-overflow-access.patch of Package assimp

From d307c9f1d7ee867a35cc6edbfab46ca78eeea5f2 Mon Sep 17 00:00:00 2001
From: Zhang Yuntong <ang.unong@gmail.com>
Date: Tue, 25 Mar 2025 04:21:32 +0800
Subject: [PATCH] NDO: Fix possible overflow access (#6055)

* NDO: Fix possible overflow access
- closes https://issues.oss-fuzz.com/issues/372765427

---------

Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
---
 code/AssetLib/NDO/NDOLoader.cpp | 51 ++++++++++++++++++++-------------
 1 file changed, 31 insertions(+), 20 deletions(-)

diff --git a/code/AssetLib/NDO/NDOLoader.cpp b/code/AssetLib/NDO/NDOLoader.cpp
index 7225b0100..77640b172 100644
--- a/code/AssetLib/NDO/NDOLoader.cpp
+++ b/code/AssetLib/NDO/NDOLoader.cpp
@@ -91,6 +91,36 @@ void NDOImporter::SetupProperties(const Importer* /*pImp*/)
     // nothing to be done for the moment
 }
 
+// ------------------------------------------------------------------------------------------------
+// Helper function to process edges and vertices for a face
+void ProcessFaceEdgesAndVertices(const NDOImporter::Object& obj,
+    unsigned int start_edge, unsigned int key,
+    std::vector<aiVector3D>& vertices, std::vector<unsigned int>& indices)
+{
+    unsigned int cur_edge = start_edge;
+    do {
+        unsigned int next_edge, next_vert;
+        if (key == obj.edges[cur_edge].edge[3]) {
+            next_edge = obj.edges[cur_edge].edge[5];
+            next_vert = obj.edges[cur_edge].edge[1];
+        }
+        else {
+            next_edge = obj.edges[cur_edge].edge[4];
+            next_vert = obj.edges[cur_edge].edge[0];
+        }
+        indices.push_back( static_cast<unsigned int>(vertices.size()) );
+        if (next_vert < obj.vertices.size()) {
+            vertices.push_back(obj.vertices[ next_vert ].val);
+        }
+        else {
+            ASSIMP_LOG_WARN("NDOImporter: next_vert is out of bounds, skipping invalid access.");
+            break;
+        }
+
+        cur_edge = next_edge;
+    } while (cur_edge != start_edge);
+}
+
 // ------------------------------------------------------------------------------------------------
 // Imports the given file into the given scene structure.
 void NDOImporter::InternReadFile( const std::string& pFile,
@@ -262,26 +292,7 @@ void NDOImporter::InternReadFile( const std::string& pFile,
 
             aiFace& f = *faces++;
 
-            const unsigned int key = v.first;
-            unsigned int cur_edge = v.second;
-            while (true) {
-                unsigned int next_edge, next_vert;
-                if (key == obj.edges[cur_edge].edge[3]) {
-                    next_edge = obj.edges[cur_edge].edge[5];
-                    next_vert = obj.edges[cur_edge].edge[1];
-                }
-                else {
-                    next_edge = obj.edges[cur_edge].edge[4];
-                    next_vert = obj.edges[cur_edge].edge[0];
-                }
-                indices.push_back( static_cast<unsigned int>(vertices.size()) );
-                vertices.push_back(obj.vertices[ next_vert ].val);
-
-                cur_edge = next_edge;
-                if (cur_edge == v.second) {
-                    break;
-                }
-            }
+            ProcessFaceEdgesAndVertices(obj, v.second, v.first, vertices, indices);
 
             f.mIndices = new unsigned int[f.mNumIndices = static_cast<unsigned int>(indices.size())];
             std::copy(indices.begin(),indices.end(),f.mIndices);
-- 
2.49.0
openSUSE Build Service is sponsored by
Places