Merge pull request #5110 from sashashura/4890437695700992

Fix Heap-buffer-overflow READ in Assimp::MD5::MD5MeshParser::MD5MeshParser
assimp · Jun 8, 2023 · 9950bb4 · 9950bb4
2 parents d5844f2 + 11dede8
commit 9950bb4
Showing 1 changed file with 14 additions and 9 deletions.
diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp
@@ -228,15 +228,20 @@ bool MD5Parser::ParseSection(Section &out) {
     out.data[out.length] = '\0';
 
 // parse a string, enclosed in quotation marks
-#define AI_MD5_PARSE_STRING_IN_QUOTATION(out)  \
-    while ('\"' != *sz)                        \
-        ++sz;                                  \
-    const char *szStart = ++sz;                \
-    while ('\"' != *sz)                        \
-        ++sz;                                  \
-    const char *szEnd = (sz++);                \
-    out.length = (ai_uint32)(szEnd - szStart); \
-    ::memcpy(out.data, szStart, out.length);   \
+#define AI_MD5_PARSE_STRING_IN_QUOTATION(out)          \
+    out.length = 0;                                    \
+    while ('\"' != *sz && '\0' != *sz)                 \
+        ++sz;                                          \
+    if ('\0' != *sz) {                                 \
+        const char *szStart = ++sz;                    \
+        while ('\"' != *sz && '\0' != *sz)             \
+            ++sz;                                      \
+        if ('\0' != *sz) {                             \
+            const char *szEnd = (sz++);                \
+            out.length = (ai_uint32)(szEnd - szStart); \
+            ::memcpy(out.data, szStart, out.length);   \
+        }                                              \
+    }                                                  \
     out.data[out.length] = '\0';
 // ------------------------------------------------------------------------------------------------
 // .MD5MESH parsing function