Skip to content

Commit c4c39f4

Browse files
ydsaydsa
committed
MD3: Fix MD3Importer surface header bounds checks to prevent heap overflow
Improve bounds checks in MD3Importer::ValidateSurfaceHeaderOffsets to prevent pcSurf from accessing data outside the MD3 buffer (fixes #6070, CVE-2025-3549). Signed-off-by: mapengyuan <mapengyuan@xfusion.com>
1 parent d1e6bcf commit c4c39f4

1 file changed

Lines changed: 13 additions & 5 deletions

File tree

code/AssetLib/MD3/MD3Loader.cpp

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -390,13 +390,21 @@ void MD3Importer::ValidateHeaderOffsets() {
390390
void MD3Importer::ValidateSurfaceHeaderOffsets(const MD3::Surface *pcSurf) {
391391
// Calculate the relative offset of the surface
392392
const int32_t ofs = int32_t((const unsigned char *)pcSurf - this->mBuffer);
393+
if (ofs + sizeof(MD3::Surface) > fileSize) {
394+
throw DeadlyImportError("Surface header is outside file bounds");
395+
}
393396

397+
auto inRange = [this, ofs](uint32_t rel_offset, uint32_t count, size_t elem_size) -> bool {
398+
size_t abs_offset = ofs + rel_offset;
399+
if (count > 0 && elem_size > 0 && count > SIZE_MAX / elem_size) return false;
400+
size_t total = abs_offset + size_t(count) * elem_size;
401+
return abs_offset <= fileSize && total <= fileSize;
402+
};
394403
// Check whether all data chunks are inside the valid range
395-
if (pcSurf->OFS_TRIANGLES + ofs + pcSurf->NUM_TRIANGLES * sizeof(MD3::Triangle) > fileSize ||
396-
pcSurf->OFS_SHADERS + ofs + pcSurf->NUM_SHADER * sizeof(MD3::Shader) > fileSize ||
397-
pcSurf->OFS_ST + ofs + pcSurf->NUM_VERTICES * sizeof(MD3::TexCoord) > fileSize ||
398-
pcSurf->OFS_XYZNORMAL + ofs + pcSurf->NUM_VERTICES * sizeof(MD3::Vertex) > fileSize) {
399-
404+
if (!inRange(pcSurf->OFS_TRIANGLES, pcSurf->NUM_TRIANGLES, sizeof(MD3::Triangle)) ||
405+
!inRange(pcSurf->OFS_SHADERS, pcSurf->NUM_SHADER, sizeof(MD3::Shader)) ||
406+
!inRange(pcSurf->OFS_ST, pcSurf->NUM_VERTICES, sizeof(MD3::TexCoord)) ||
407+
!inRange(pcSurf->OFS_XYZNORMAL, pcSurf->NUM_VERTICES, sizeof(MD3::Vertex))) {
400408
throw DeadlyImportError("Invalid MD3 surface header: some offsets are outside the file");
401409
}
402410

0 commit comments

Comments
 (0)