From 2a0fe591abb661757d30036c33bbb50f85849acb Mon Sep 17 00:00:00 2001 From: eihrul Date: Tue, 1 Jun 2010 19:52:53 +0000 Subject: [PATCH] sanity checking of most header offsets/sizes in IQM git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@10223 d7cf8633-e32d-0410-b094-e92efae38249 --- model_alias.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/model_alias.c b/model_alias.c index b87e65bb..01a01fa4 100644 --- a/model_alias.c +++ b/model_alias.c @@ -3075,7 +3075,7 @@ void Mod_INTERQUAKEMODEL_Load(dp_model_t *mod, void *buffer, void *bufferend) { unsigned char *data; const char *text; - unsigned char *pbase; + unsigned char *pbase, *pend; iqmheader_t *header; skinfile_t *skinfiles; int i, j, k, meshvertices, meshtriangles; @@ -3094,6 +3094,7 @@ void Mod_INTERQUAKEMODEL_Load(dp_model_t *mod, void *buffer, void *bufferend) float *outvertex, *outnormal, *outtexcoord, *outsvector, *outtvector; pbase = (unsigned char *)buffer; + pend = (unsigned char *)bufferend; header = (iqmheader_t *)buffer; if (memcmp(header->id, "INTERQUAKEMODEL", 16)) Host_Error ("Mod_INTERQUAKEMODEL_Load: %s is not an Inter-Quake Model", loadmodel->name); @@ -3144,14 +3145,39 @@ void Mod_INTERQUAKEMODEL_Load(dp_model_t *mod, void *buffer, void *bufferend) return; } + if (pbase + header->ofs_text + header->num_text > pend || + pbase + header->ofs_meshes + header->num_meshes*sizeof(iqmmesh_t) > pend || + pbase + header->ofs_vertexarrays + header->num_vertexarrays*sizeof(iqmvertexarray_t) > pend || + pbase + header->ofs_triangles + header->num_triangles*sizeof(int[3]) > pend || + (header->ofs_neighbors && pbase + header->ofs_neighbors + header->num_triangles*sizeof(int[3]) > pend) || + pbase + header->ofs_joints + header->num_joints*sizeof(iqmjoint_t) > pend || + pbase + header->ofs_poses + header->num_poses*sizeof(iqmpose_t) > pend || + pbase + header->ofs_anims + header->num_anims*sizeof(iqmanim_t) > pend || + pbase + header->ofs_frames + header->num_frames*header->num_framechannels*sizeof(unsigned short) > pend || + pbase + header->ofs_comment + header->num_comment > pend) + { + Con_Printf("%s has invalid size or offset information\n", loadmodel->name); + return; + } + va = (iqmvertexarray_t *)(pbase + header->ofs_vertexarrays); for (i = 0;i < (int)header->num_vertexarrays;i++) { + size_t vsize; va[i].type = LittleLong(va[i].type); va[i].flags = LittleLong(va[i].flags); va[i].format = LittleLong(va[i].format); va[i].size = LittleLong(va[i].size); va[i].offset = LittleLong(va[i].offset); + vsize = header->num_vertexes*va[i].size; + switch (va[i].format) + { + case IQM_FLOAT: vsize *= sizeof(float); break; + case IQM_UBYTE: vsize *= sizeof(unsigned char); break; + default: continue; + } + if (pbase + va[i].offset + vsize > pend) + continue; switch (va[i].type) { case IQM_POSITION: -- 2.39.2