sanity checking of most header offsets/sizes in IQM

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@10223 d7cf8633-e32d-0410-b094-e92efae38249

diff --git a/model_alias.c b/model_alias.c
index b87e65bb5e1b37f6c9a1df402f171093af817165..01a01fa43061f4c44f72338af2f7d10022cfaa1b 100644 (file)
--- a/model_alias.c
+++ b/model_alias.c
@@ -3075,7 +3075,7 @@ void Mod_INTERQUAKEMODEL_Load(dp_model_t *mod, void *buffer, void *bufferend)
 {
        unsigned char *data;
        const char *text;
-       unsigned char *pbase;
+       unsigned char *pbase, *pend;
        iqmheader_t *header;
        skinfile_t *skinfiles;
        int i, j, k, meshvertices, meshtriangles;
@@ -3094,6 +3094,7 @@ void Mod_INTERQUAKEMODEL_Load(dp_model_t *mod, void *buffer, void *bufferend)
        float *outvertex, *outnormal, *outtexcoord, *outsvector, *outtvector;
 
        pbase = (unsigned char *)buffer;
+       pend = (unsigned char *)bufferend;
        header = (iqmheader_t *)buffer;
        if (memcmp(header->id, "INTERQUAKEMODEL", 16))
                Host_Error ("Mod_INTERQUAKEMODEL_Load: %s is not an Inter-Quake Model", loadmodel->name);
@@ -3144,14 +3145,39 @@ void Mod_INTERQUAKEMODEL_Load(dp_model_t *mod, void *buffer, void *bufferend)
                return;
        }
 
+       if (pbase + header->ofs_text + header->num_text > pend ||
+               pbase + header->ofs_meshes + header->num_meshes*sizeof(iqmmesh_t) > pend ||
+               pbase + header->ofs_vertexarrays + header->num_vertexarrays*sizeof(iqmvertexarray_t) > pend ||
+               pbase + header->ofs_triangles + header->num_triangles*sizeof(int[3]) > pend ||
+               (header->ofs_neighbors && pbase + header->ofs_neighbors + header->num_triangles*sizeof(int[3]) > pend) ||
+               pbase + header->ofs_joints + header->num_joints*sizeof(iqmjoint_t) > pend ||
+               pbase + header->ofs_poses + header->num_poses*sizeof(iqmpose_t) > pend ||
+               pbase + header->ofs_anims + header->num_anims*sizeof(iqmanim_t) > pend ||
+               pbase + header->ofs_frames + header->num_frames*header->num_framechannels*sizeof(unsigned short) > pend ||
+               pbase + header->ofs_comment + header->num_comment > pend)
+       {
+               Con_Printf("%s has invalid size or offset information\n", loadmodel->name);
+               return;
+       }
+
        va = (iqmvertexarray_t *)(pbase + header->ofs_vertexarrays);
        for (i = 0;i < (int)header->num_vertexarrays;i++)
        {
+               size_t vsize;
                va[i].type = LittleLong(va[i].type);
                va[i].flags = LittleLong(va[i].flags);
                va[i].format = LittleLong(va[i].format);
                va[i].size = LittleLong(va[i].size);
                va[i].offset = LittleLong(va[i].offset);
+               vsize = header->num_vertexes*va[i].size;
+               switch (va[i].format)
+               { 
+               case IQM_FLOAT: vsize *= sizeof(float); break;
+               case IQM_UBYTE: vsize *= sizeof(unsigned char); break;
+               default: continue;
+               }
+               if (pbase + va[i].offset + vsize > pend)
+                 continue;
                switch (va[i].type)
                {
                case IQM_POSITION: